Vulnerability Development mailing list archives
Re: Load Balancing
From: ollie-infosec () HUSHMAIL COM
Date: Wed, 27 Sep 2000 16:01:11 +0000
Hi, Reminding me of Localdirectors you may wan't to try this attack vector, I don't have access to a Catalyst 6000 so can't give it try. Catalyst 6000's with a PFC card and an Cisco LocalDirector supports something called ASLB (Advanced Server Load Balancing). Basically to give a quick summary of ASLB I have taken the below from CISCOs site. The attack vector is being able to create MLS entry's to enable your own forwarding to the servers on any destination port you like (i.e. bypassing the LocalDirectors restrictions). I have to state THIS IS A THEORETICAL ATTACK VECTOR THERE ARE NO KNOW ISSUES WITH THIS. Also the useall packet fragmentation attacks may/may not work against a LocalDirector directly, you will see below this does not work with ASLB and MLS. I have also included at the end of the mail some interesting links to Cisco related material for you to read Anyway have fun.. Rgds Ollie p.s. CC'd the Vuln-Dev guys in just thought they may wana think about this... ASLB Packet Flow When an inbound connection synchronization (TCP SYN) packet arrives with a destination MAC address of LocalDirector virtual server in the Layer 3 header, the switch forwards the packet to LocalDirector at port PA. LocalDirector makes the load balance decision, changes the destination MAC address to that of the real server, and forwards the packet to the switch at port PB. The switch creates an inbound ASLB Multilayer Switching (MLS) entry in the Layer 3 forwarding tables as it forwards the packet to the real server. All subsequent packets that match the inbound ASLB MLS entry are Layer 3- switched (accelerated) to the real server, unless the packet is fragmented or contains a connection finish (TCP FIN) or connection reset (TCP RST). When the outbound SYN packet from the real server arrives, the switch forwards the packet to LocalDirector at port PB. The Local Director changes the source MAC address to that of the LocalDirector virtual server and forwards the packet to the switch at port PA.The switch creates an outbound ASLB MLS entry in the Layer 3 forwarding table as it forwards the packet to the router. All subsequent packets that match the outbound ASLB MLS entry are switched directly to the router, unless the packet is fragmented or contains a FIN or RST. Packets containing a FIN or RST travel the same path as a SYN packet. The switch purges the inbound ASLB MLS entry when it forwards the FIN or RST packet to LocalDirector. The switch purges the outbound ASLB MLS entry as it forwards the FIN or RST packet to LocalDirector http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/6kpfc_ds.htm http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld32rns/ldrnv32/ldrnv321.htm http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld32rns/ldicgd/ld3_ch3.htm http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld32rns/ldicgd/ld3_ch4.htm
Current thread:
- Re: Load Balancing ollie-infosec (Sep 27)