User: Password:
|
|
Subscribe / Log in / New account

Linux adds router denial-of-service prevention

Linux adds router denial-of-service prevention

Posted Mar 18, 2010 14:38 UTC (Thu) by tialaramex (subscriber, #21167)
In reply to: Linux adds router denial-of-service prevention by ekj
Parent article: Linux adds router denial-of-service prevention

You can already see this fact used in link-local protocols, in two (unfortunately contradictory) ways.

Some protocols require that TTL is 1. This means that a conforming implementation, connected to properly functioning routers, never leaks packets onto the wider network (whether or not that is the Internet) regardless of router (mis) configuration because the router will reduce TTL to zero and discard the packet. It is fairly trivial for a knowledgeable attacker to spoof such packets if he can deliver them to your network.

Some protocols require that TTL is 255, because as observed here, packets which are somehow routed onto your network from elsewhere will not have this TTL value and so can be discarded. In this case attackers can't spoof you, but a lot of care is needed to ensure that no misconfigured router spills all the packets onto the Internet (or else, that when it does so no harm results)


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds