Access to the Internic Blocked
Vadim Antonov
avg at quake.net
Fri Aug 23 02:02:21 UTC 1996
Curtis wrote:
>I've said many times that if security in your network is weak enough
>that you need to worry about LSRR packets you need to worry about
>security in your network.
Not at all. LSRR is a nice tool to mount practically untraceable
flooding attack (hint -- just forge source address and spread
intermediate points evenly across the network). Shutting you
down may be exactly what the attacker wants.
(LSRR attacks against service providers are particlularly bad --
just imagine somebody flooding you at T-1 speed and bouncing
packets back and forth two dozen times. Poof -- here goes the
T-3 :)
There are particularly nasty man-in-the-middle attacks (which
defeat one-time-password login authentication, like that) if you
can combine LSRR with bogus routing.
>The minute someone unpacks a Sun workstation, configures an IP address
>and sticks it on the ethernet without installing the security patches
>and doing the administrative work needed to secure the machine, if you
>had a small hole in your security with LSRR, you now have a gaping
>hole in your security. If you are relying on blocking LSRR, your
>security is a weak as the most peerly administered machine on your
>network. A real bad thing if you are constantly hiring.
I never argued that blocking LSRR plugs all security holes. However
it is one thing _not_ used in normal operations; and everything not
used _must_ be shut down by a prudent security. And, again, there
are several LSRR-based attacks.
>Even so, if anywhere, where you want LSRR turned off is the border
>router(s) in front of the machines used for operations, network
>management, etc.
>Obviously you want your network to be secure even if
>LSRR was enabled for the reason I cited above.
Security Rule #1: You're never secure. Turning LSRR off doesn't
particularly hurt connectivity, and is cheap. It's a way to _improve_
security.
--vadim
More information about the NANOG
mailing list