Neocekavana zmena default gateway

Vilem Kebrt vilem.kebrt at gmail.com
Mon Dec 17 17:53:32 CET 2012


Ahoj,
asi budu paranoidni cynik, ale hledej rootkit, tohle uz mi smrdi cizim 
zasahem...
Tenhle redirect se stava napriklad pri konvergenci dynamiky, ale 
jestlize nemas dynamicky rout sw pusteny nemelo by se to dit.
Dalsi moznost je lokalni skryta proxy .... mas tam nejakej fw nahozenej 
? (pf, ipfw, jestli ano prosim vypis pravidel pred a po zmene)...
Doporucoval bych kldstat a mrknout na moduly pokud tam nejaky jsou 
(pokud nemas static jadro)...
Vilem

Dne 17.12.2012 15:27, Radek Krejča napsal(a):
> Zapnul jsem logovani icmp redirectu:
>
> Uplne mi neni jasne toto:
>
> icmp redirect from 10.4.4.122: 10.4.29.242 => 10.4.4.121
> icmp redirect from 10.4.4.122: 10.4.29.242 => 10.4.4.121
> icmp redirect from 10.4.4.122: 10.4.29.242 => 10.4.4.121
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
>
>
> Chapu, ze napred chodilo z 10.4.4.122, ale proc pak ze 127.0.0.1? Nebo chapu spatne ten zaznam?
>
> Jinak jeste jsem koukal s kolegou do /usr/src/sys/netinet/ip_icmp.c a tam je pasaz:
>
>                          printf("icmp redirect from %d.%d.%d.%d: "
>                                 "%d.%d.%d.%d => %d.%d.%d.%d\n",
>                                 (int)(src >> 24), (int)((src >> 16) & 0xff),
>                                 (int)((src >> 8) & 0xff), (int)(src & 0xff),
>                                 (int)(dst >> 24), (int)((dst >> 16) & 0xff),
>                                 (int)((dst >> 8) & 0xff), (int)(dst & 0xff),
>                                 (int)(gw >> 24), (int)((gw >> 16) & 0xff),
>                                 (int)((gw >> 8) & 0xff), (int)(gw & 0xff));
>                  }
>                  /*
>                   * RFC1812 says we must ignore ICMP redirects if we
>                   * are acting as router.
>                   */
>                  if (V_drop_redirect || V_ipforwarding)
>                          break;
>
> Prijde mi, ze ten komentar neodpovida skutecnosti ve chvili, kdy tech icmp redirectu prijde fakt hodne moc. Pri tom logovani totiz chodi proad neco, ale ve chvili, kdy se mi zacne plnit log opravdu masivne, tak k te zmene ip dojde.
>
> Radek
>




More information about the Users-l mailing list