Possible DoS attack (?)
mjc at cooper.org.uk
Tue Nov 9 00:57:48 UTC 1999
I'm sure you guys (girls?) are all aware of the default option
for this, but we have just decided to implement 'ip route-cache
same-interface' on our client interfaces since the default option
on the Cisco IOS version 11.1 (x) which we use at present is 'off'.
The reason this may be a problem is that the default option
implies process switching for packets directed at the target
address where that destination is reached via the same interface.
The trade-off is that ICMP redirects work all the time when the
option is disabled, but only for the first packet per destination
when it is not.
Our particular problem is that we have overlaid IP subnets
where many of the hosts on these subnets ignore ICMP redirects.
The potential DoS attack I am thinking of involves peer or transit
networks forwarding packets with forged source addresses to their
next-hop, such that the packets are immediately bounced back to
their forged sources via their source router across the exchange,
having been process switched. This problem could be avoided by fast
switching the packets that are to be bounced back.
This may not be a problem for routers using CEF, presuming
that such routers do not use their CPUs to switch packets
back towards their return-paths where this is via the same
interface, but I am uncertain if this is the case.
Of course, if everyone did proper source address access-lists
on ingress ports, this would not be a problem (but I suspect
that everyone does not).
More information about the NANOG