|
|
| Previous | Table of Contents | Next |
On the Internet, every machine that is active at the network layer takes part in routing decisions (bridges and repeaters are only active at lower layers). The decentralization of routing is unlike simpler systems that limit end user machines to delivering data to a single point of entry on the network, isolating the end user machine from the internal complexities of the network. The essential routing decision is “Where should a datagram with a particular IP destination address be sent?” If the destination address matches the (sub)network address of (one of) the machine’s interface(s), then the machine routes the datagram directly to the destination hardware address. Otherwise, the machine selects a router to forward the datagram. Each machine keeps a routing table containing a list of destination (sub)networks and the IP address of the router used to forward to that (sub)network. A default router handles destinations not specifically listed.
How Routers and Route Spoofing Work
Route spoofing can take various forms, all of which involve getting Internet machines to send routed IP datagrams somewhere other than where they should. Route spoofing misdirects non-locally delivered IP datagrams and is thus somewhat similar to ARP spoofing, which misdirects directly delivered IP datagrams. Like ARP spoofing, route spoofing can result in a denial of service attack—datagrams do not go to the machine for which they are intended with the result that a machine appears to be unable to communicate with the network. With a little more sophistication, both ARP spoofing and route spoofing can simply intercept all traffic between two pieces of the network. In the process, they can filter through the network traffic, possibly making modifications to it, creating the illusion of a properly working network.
If you start with a single default router and other routers are available on the network, you would expect that for some destination networks the default router would not be the best choice. If the default router is not the best choice, it sends the datagram back over the same network from which the datagram originated to a different router. When a router does so, it uses the Internet Control Message Protocol (ICMP) to send a message to the machine originating the datagram. ICMP includes a variety of types of messages. The type of ICMP message here is a redirect message.
A redirect message essentially says “it would be best to send datagrams to a router with IP address W.X.Y.Z when the destination network is A.BD rather than using me as your router for that destination.” A machine receiving an ICMP redirect message typically updates its routing table to avoid making the mistake in the future. Note that the datagram did not become lost and does not need to be re-sent because the router sending the ICMP redirect has already forwarded the datagram to the appropriate router.
If a machine ignores ICMP redirects, its datagrams are still delivered, just not as efficiently. Turning off ICMP redirect processing is one way of avoiding the simplest of route spoofing techniques—sending illegitimate ICMP redirect messages. Many systems simply process ICMP redirect messages without checking for their validity. At the very least, a check hopefully is made to see that the message coming from an IP address corresponds to a known router.
Note: Microsoft Windows 95 and Windows NT keep a list of known routers. The first router on the list is the default router; the next router on the list becomes the default router in case the first one appears to be down.
Another minimal safeguard is to ensure the ARP caches on the hosts have permanent entries for the hardware address of all legitimate routers. This prevents an ARP spoof in which a machine masquerades as one of the routers. Such a masquerade would allow such a machine to intercept virtually all traffic leaving the local network just like the attack described in the next paragraph.
If a machine sends ICMP redirect messages to another machine in the network it could cause the other machine to have an invalid routing table. At the very least, an invalid routing table would constitute a denial of service attack—some or all non-local datagrams would not be able to reach their destination. A much more serious situation would arise if a machine poses as a router to intercept IP datagrams to some or all destination networks. In that case, the machine being used to launch the attack could be multihomed and deliver the IP datagrams via its other network interface. Otherwise, it could simply forward the datagrams to the legitimate router over the same network interface on which they arrived (without the usual ICMP redirect to point back to the legitimate router).
The simplest way to avoid ICMP redirect spoofing is to configure hosts not to process ICMP redirect messages. Doing so may be difficult unless your TCP/IP software is configurable. Some systems require source code modifications to prevent these redirect messages. Many Unix System V machines accept a packet filter with no recompilation or relinking of the kernel.
Note: ICMPinfo provides specialized monitoring of ICMP packets received by a host.TAP is an example of a packet filter use d for monitoring. It provides an example that helps you put together your own ICMP packet filter to discard suspicious ICMP redirects.
An alternative is to validate ICMP redirect messages, such as checking that the ICMP redirect is from a router you are currently using. This involves checking the IP address of the source of the redirect and verifying that the IP address matches with the hardware address in the ARP cache. The ICMP redirect should contain the header of the IP datagram that was forwarded. The header can be checked for validity but could be forged with the aid of a sniffer. However, such a check may add to your confidence in the validity of the redirect message and may be easier to do than the other checks because neither the routing table nor the ARP cache needs to be consulted.
| Previous | Table of Contents | Next |