Re: Loopback and multi-homed routing flaw in TCP/IP stack.

[Kyle Sparger <ksparger () DIALTONEINTERNET NET>]

Mad Duck wrote:
> 2.2 is vulnerable, but 2.4 is not. as far as i can tell, 2.4 systems
> don't even have a localhost routing entry anymore.

Actually I can confirm that Linux 2.4 does suffer from it, at least in the
hardwired MAC address case I mentioned.  Just took the time to test it.

Andrew Bartlett wrote:
> I'm trying to assess how this affects me.  Is Linux 2.2 vulnerable when
> rp_filter is enbled (sys.net.ipv4.all.rp_filter)?  If so then the above
> statement is correct, as rp_filter is enabled by default on RedHat
> installs.

I'm reading the documentation on rp_filter (Documentation/Configure.help).

In sum, it appears to implement the command 'ip verify unicast
reverse-path' that you would find on Cisco routers :)  Or am I
misunderstanding?

Assuming I'm reading it correctly, then this will not protect you.  The
feature only matches against the source, which is not the issue here.

RoMaN SoFt / LLFB !! wrote:
>  I've not tested it but perhaps this is a valid workaround for Linux.

I don't think so.  Just follow the maintainer's advice, and filter your
interfaces:

# ifconfig eth0 10.0.5.10
# ipchains -A input -i eth0 -d 10.0.5.10 -j ACCEPT
# ipchains -A input -i eth0 -j DENY

Or something like that, anyway.  Easy enough, right? :)

Thanks,

Kyle Sparger - Senior System Administrator
ksparger () dialtoneinternet net - http://www.dialtoneinternet.net
Voice - (954) 581-0097 x 122
"Forget college, I'm going pro."