RE: Defualt ip address out

["David Gillett" <gillettdavid () fhda edu>]

  (As you can see, I had some trouble reading your message
beyond the first line or two...)

  I recently had to dig into a case where the default route 
on a router was changing "by itself".

  The problem wasn't really with that router, but with one of
its neighbors (a Cisco box), and an interaction between a couple 
of configuration options and some traffic we were receiving.

  The first problem was with this config:

 no ip redirects

which was missing from our interface configurations.  Without
this, if the router received any traffic that it routed back out 
the same interface, it would send an "ICMP redirect" message to
the neighbour.  The neighbour, seeing that a packet it forwarded
elicited a redirect, updated the route table entry it had used,
which in this case was the default.

  The second problem was

ip classless

  Looks harmless enough, but it means that any traffic to 
parts of our overall block for which we don't have a route
will get forwarded to the default.  (If we'd had "no ip
classless", packets to our block without a route would be
dropped.)
  (Note that the default gateway would see that the destination
was within our address block, and hand it right back, back and 
forth until the packet's TTL expired.  The changing default route
was not really the only bad side effect!)
  This is what was causing some "inbound" packets to get 
redirected to the outbound default gateway.  The fix for
this was to add a static summary route black-holing anything
not handled by a more explicit route.

  This all had appeared to work fine, until anything scanned
our entire address space.  Sooner or later, one of the scan
packets would be trying for an unpopulated subnet, and that
would trigger the redirect.

David Gillett

> -----Original Message-----
> From: Kenneth Hauklien [mailto:boomy () boomdrak no]
> Sent: August 14, 2003 02:55
> To: security-basics () securityfocus com
> Subject: Defualt ip address out
>
>
>
>
> Hi.  On my machine lately the outgoing default ip has changed 
> from 2 to 3.  Kernel IP routing table Destination     Gateway 
>         Genmask         Flags Metric Ref    Use  Iface 
> localnet        *               255.255.255.0   U     0      
> 0        0  eth0 default         mikke-gw.kvalit 0.0.0.0      
>    UG    0      0        0  eth0  root@login:~/hpbnc# 
> ifconfig eth0   eth0      Link encap:Ethernet  HWaddr 
> 00:50:04:20:E7:57             inet addr:213.151.136.2  
> Bcast:213.151.136.255   Mask:255.255.255.0           UP 
> BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX 
> packets:144735586 errors:0 dropped:0 overruns:0 frame:0       
>     TX packets:156653019 errors:0 dropped:0 overruns:0 
> carrier:0           collisions:0 txqueuelen:100            RX 
> bytes:1134180310 (1.0 GiB)  TX bytes:1890855543 (1.7 GiB)     
>       Interrupt:16 Base address:0xbc00   root@login:~/hpbnc# 
> ifconfig eth0:1 eth0:1    Link encap:Ethernet  HWaddr 
> 00:50:04:20:E7:57             inet addr:213.151.136.3  
> Bcast:213.151.136.255   Mask:255.255.255.0           UP 
> BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           
> Interrupt:16 Base address:0xbc00    root@login:~/hpbnc# lynx 
> http://echo.boomdrak.no (access.log from the server)  
> 213.151.136.3 - - [14/Aug/2003:11:58:14 +0200] "GET / 
> HTTP/1.0" 200 4110 "- " "Lynx/2.8.4rel.1 libwww-FM/2.14"  And 
> i get the same errors when i for example ssh out on a other 
> machine,  same with irc and the rest.  Does anyone know why 
> this is? and how to change it?  Best regards Kenneth Hauklien 
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------