Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Load Balancing

From: ollie-infosec () HUSHMAIL COM
Date: Wed, 27 Sep 2000 16:01:11 +0000
Hi,

Reminding me of Localdirectors you may wan't to try this attack vector,
I don't have access to a Catalyst 6000 so can't give it try.

Catalyst 6000's with a PFC card and an Cisco LocalDirector supports something
called ASLB (Advanced Server Load Balancing). Basically to give a quick
summary of ASLB I have taken the below from CISCOs site. The attack vector
is being able to create MLS entry's to enable your own forwarding to the
servers on any destination port you like (i.e. bypassing the LocalDirectors
restrictions). I have to state THIS IS A THEORETICAL ATTACK VECTOR THERE
ARE NO KNOW ISSUES WITH THIS.

Also the useall packet fragmentation attacks may/may not work against a
LocalDirector directly, you will see below this does not work with ASLB
and MLS.

I have also included at the end of the mail some interesting links to Cisco
related material for you to read

Anyway have fun..

Rgds

Ollie

p.s. CC'd the Vuln-Dev guys in just thought they may wana think about this...

ASLB Packet Flow
When an inbound connection synchronization (TCP SYN) packet arrives with
a destination MAC address of LocalDirector virtual server in the Layer 3
header, the switch forwards the packet to LocalDirector at port PA. LocalDirector
makes the load balance decision, changes the destination MAC address to
that of the real server, and forwards the packet to the switch at port PB.
The switch creates an inbound ASLB Multilayer Switching (MLS) entry in the
Layer 3 forwarding tables as it forwards the packet to the real server.
All subsequent packets that match the inbound ASLB MLS entry are Layer 3-
switched (accelerated) to the real server, unless the packet is fragmented
or contains a connection finish (TCP FIN) or connection reset (TCP RST).

When the outbound SYN packet from the real server arrives, the switch forwards
the packet to LocalDirector at port PB. The Local Director changes the source
MAC address to that of the LocalDirector virtual server and forwards the
packet to the switch at port PA.The switch creates an outbound ASLB MLS
entry in the Layer 3 forwarding table as it forwards the packet to the router.
All subsequent packets that match the outbound ASLB MLS entry are switched
directly to the router, unless the packet is fragmented or contains a FIN
or RST.

Packets containing a FIN or RST travel the same path as a SYN packet. The
switch purges the inbound ASLB MLS entry when it forwards the FIN or RST
packet to LocalDirector. The switch purges the outbound ASLB MLS entry as
it forwards the FIN or RST packet to LocalDirector


http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/6kpfc_ds.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld32rns/ldrnv32/ldrnv321.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld32rns/ldicgd/ld3_ch3.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld32rns/ldicgd/ld3_ch4.htm
Previous By Date Next
Previous By Thread Next

Current thread: