Bugtraq mailing list archives
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
From: Kyle Sparger <ksparger () DIALTONEINTERNET NET>
Date: Tue, 6 Mar 2001 08:58:55 -0500
Mad Duck wrote:
2.2 is vulnerable, but 2.4 is not. as far as i can tell, 2.4 systems don't even have a localhost routing entry anymore.
Actually I can confirm that Linux 2.4 does suffer from it, at least in the hardwired MAC address case I mentioned. Just took the time to test it. Andrew Bartlett wrote:
I'm trying to assess how this affects me. Is Linux 2.2 vulnerable when rp_filter is enbled (sys.net.ipv4.all.rp_filter)? If so then the above statement is correct, as rp_filter is enabled by default on RedHat installs.
I'm reading the documentation on rp_filter (Documentation/Configure.help). In sum, it appears to implement the command 'ip verify unicast reverse-path' that you would find on Cisco routers :) Or am I misunderstanding? Assuming I'm reading it correctly, then this will not protect you. The feature only matches against the source, which is not the issue here. RoMaN SoFt / LLFB !! wrote:
I've not tested it but perhaps this is a valid workaround for Linux.
I don't think so. Just follow the maintainer's advice, and filter your interfaces: # ifconfig eth0 10.0.5.10 # ipchains -A input -i eth0 -d 10.0.5.10 -j ACCEPT # ipchains -A input -i eth0 -j DENY Or something like that, anyway. Easy enough, right? :) Thanks, Kyle Sparger - Senior System Administrator ksparger () dialtoneinternet net - http://www.dialtoneinternet.net Voice - (954) 581-0097 x 122 "Forget college, I'm going pro."
Current thread:
- Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. ddowney (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Perry Harrington (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Perry Harrington (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Dan Harkless (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. MaD dUCK (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. J. Bol (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kurt Seifried (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Litchfield (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Robert Collins (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lincoln Yeoh (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)