Bugtraq mailing list archives

rp_filter? (was Re: DDOS Attack Mitigation)

From: julien () CSOFT NET (Julien Nadeau)
Date: Fri, 18 Feb 2000 17:12:13 -0400


Bennett Todd wrote:


2000-02-14-13:44:09 Julien Nadeau:

A solution would be for kernels to provide an option to keep a
local IP lookup table which could be simply based on network
interfaces; of course, given an stable implementation, this option
enabled by default would take care of spoofing problems for admins
who don't think much about what they're sending out -- i mean,
they're big part of the problem.


Linux already has such an option; just go

        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $f
        done

and the routing logic will drop packets with forged source addrs.
It's not on by default. Yet.


I must be missing something but isn't rp_filter ineffective?
I have it turned on all my local machines, including the router;
i was able to forge packets with any source/destination address
and it routes like a charm.

Host A runs 2.2.14 with rp_filter enabled on all interfaces; it uses
a very restrictive firewall which i turned off ingress filtering as
a test.

Host B uses a somewhat tricky firewall; UDP is only allowed on port 53
to
particular hosts.  Host B is also behind a Cisco and traffic goes
through 3
firewalls, the upstream isp's one, our OpenBSD router and host B's Linux
2.2.14
firewall. As a test i forged a udp packet (source: 66.66.66.66:53, dest:
(`host B'):53), host B's sniffer logged the packet well.

I've browsed through 2.2.14 sources for rp_filter;
net/ipv4/fib_frontend.c's
fib_validate_source() takes care of rp_filter

(from linux/inetdevice.h)
#define IN_DEV_RPFILTER(in_dev) (ipv4_devconf.rp_filter
                                 && (in_dev)->cnf.rp_filter)
(fib_frontend.c)
if (IN_DEV_RPFILTER(in_dev)) return -EINVAL;

Feels like i'm missing something, but aren't ipv4_devconf.rp_filter and
(in_dev)->cnf.rp_filter both 1 if rp_filter is enabled on the concerned
interface and `globally', what does this have to do with source address
checking?  I've also checked with other admins and they confirmed
rp_filter
wasn't doing anything.

--
Julien Nadeau @csoft.net
CubeSoft Communications

Current thread:

Re: DDOS Attack Mitigation, (continued)
- - - Re: DDOS Attack Mitigation Darren Reed (Feb 14)
    - NetBSD Security Advisory 1999-012 Daniel Carosone (Feb 15)
    - Re: DDOS Attack Mitigation Chris Cappuccio (Feb 15)
    - Re: DDOS Attack Mitigation Carson Gaspar (Feb 15)
    - Re: DDOS Attack Mitigation John Edwards (Feb 15)
    - Re: DDOS Attack Mitigation Ryan Russell (Feb 16)
    - Administrivia Elias Levy (Feb 16)
    - Re: DDOS Attack Mitigation John Payne (Feb 14)
    - Re: DDOS Attack Mitigation Julien Nadeau (Feb 14)
    - Re: DDOS Attack Mitigation Bennett Todd (Feb 15)
    - rp_filter? (was Re: DDOS Attack Mitigation) Julien Nadeau (Feb 18)
    - Re: DDOS Attack Mitigation Homer Wilson Smith (Feb 14)
    - Re: DDOS Attack Mitigation Andrzej Bialecki (Feb 14)
    - Re: DDOS Attack Mitigation Darren Reed (Feb 14)
    - "Association of Responsible Internet Providers"? David Nesting (Feb 15)
    - Re: DDOS Attack Mitigation Andreas Busse (Feb 15)
    - Re: Evil Cookies. Ari Gordon-Schlosberg (Feb 08)
    - Re: Evil Cookies. Michael Bryan (Feb 08)
    - Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
    - Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
    - Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)

(Thread continues...)