mailing list archives
Linux problem, steal of IP and traffinc redirection could bypass a firewall
From: NetExpress <NetExpress () tiscali it>
Date: Sat, 06 Nov 2004 21:35:54 +0100
Hi, I am wondering why linux do not recognize if someone steal it's IP,
this could be a serious security problem.
infact linux, Instead of Windows and freebsd and other operative system,
when boot or give up a virtual IP on an interface do not send gratious
arp but only ask for the gateway arp and than answer to the query for it's
Because of this, If I have a gateway, with IP IPA, and set a desktop/server
on the lan with the same ip IPA, when it start it will be the new gateway
for the all network.
- Suppose the gateway is in high availability, it will have phisical IP
and a logical IP the logical one is known from the host of lan as default
- Suppose to set a server/desktop with a virtual IP eth0:1 with the logical
IP of the real gateway, send a broadcast arp, set ip_forward=1, and route
all the traffic to the phisical IP of the original gateway.
- Now there is a new gateway for all host on the net, and the real gateway
will trust (with the trust I have on my server) the traffic that I forward
to his because it come form a trusted real IP ,
With this I have create a by-pass of the firewall!!! this is not good!,
I could se all traffic, make a man in the middle, see the database data
userid e password and so on.
But the worst is that if it happen on a DMZ I could create a big DOS, without
someone thinks the gateway IP has been steal form someother!
If linux would send a gratious arp when it give up an IP real or virtaul
this problem will not be possible, because it could not bind a IP that is
already present on the net.
Alessandro Fiorenzi aka NetExpress
fiorenzi () tiscali it
Full-Disclosure - We believe in it.
- Linux problem, steal of IP and traffinc redirection could bypass a firewall NetExpress (Nov 06)