4

Theoretically, ICMP redirect messages (IPv4 and IPv6) and source routing (IPv4) / routing headers (IPv6) are very dangerous. However, I'm curious as to if attacks using these features really work in the wild. The issues have been known for a long time, routing headers have officially been deprecated (RFC 5095).

So my question is, are these attack vectors still something one should worry about? Should checks for these features still be a part of standard hardening routines on routers?

chris
  • 3,000
  • 14
  • 22

2 Answers2

1

... are these attack vectors still something one should worry about?

No, not really.

I would venture to guess that few, if any, commercial firewalls accept LSRR/SSRR packets. It might even be the case that backbone routers drop these packets. Assuming your target is using some sort of home brew of iptables/pf it seems likely that rules to block these packets would be necessary.

Should checks for these features still be a part of standard hardening routines on routers?

I don't see why not? It's a simple rule-set to add and I doubt that a few more rules would have any impact on performance.

Christoffer
  • 1,030
  • 1
  • 6
  • 14
0

ICMP redirects

ICMP redirect messages are limited to the subset you are on, they are not forwarded. I do not see how they create such a terrible risk.

Inside an IP subnet, there is often an implicit trust: any computer could reply to ARP request for any other IP address with his own physical address in order to receive traffic sent to another computer in the same IP subnet. This is a fundamental property of local links using the ARP protocol.

Remark: IP subnets, even on Ethernet, do not necessarily depend on the ARP protocol: another option is to make IP to physical bindings static. This is rarely done on Ethernet links because of the management burden.

Source routing

By making an IP packet take an absurd route using source routing, one could waste routing bandwidth. For this to work, routers IP addresses mentioned in the source route (or "routing header") would need to be configured to accept to do the source route forwarding (this is not the default configuration).

Router configuration

I think the default configuration of any half decent OS will be sane. But it doesn't hurt to check.

IPv6 might have more bugs, only because:

  • IPv6 code is newer, IPv4 code has been stress-tested for a long time;

  • they are less routers configured with IPv6, less different set-ups, less exploration of every strange corner case...

curiousguy
  • 5,028
  • 3
  • 25
  • 27
  • Can't source routing be used for much more than just bandwidth spilling? For instance, routing packets so that they arrive at at a router on a different interface, one that has no ACL? Circumventing firewalls? – chris Sep 26 '11 at 07:59