On Fri, Aug 20, 2010 at 4:08 PM, Butch Evans <butche@butchevans.com> wrote: I would suggest the recommendation be that ICMP Redirects, proxy ARP, directed broadcast, source routing, and acceptance/usage of all fancy/surprising features should be off by default. Where "surprising" is defined as the sort of thing that is nonessential, has questionable benefits, can cause problems, and that people will forget to turn off. Redirects seem to fall into the non-essential with questionable benefits (in most cases) category.
For most of the networks that I manage (or help to manage), I can see no reason why this would be an issue.
If none of your hosts accept redirects, then it is not really apparent that redirects are harmful. If some of your hosts accept redirects, then redirects may be capable of causing headaches. You might have a gateway using a protocol such as VRRP, with redundancy for the default gateway address of subnet $X. And you have other routers for other subnets which just happen to have an extra ip on subnet $X. But the other subnets' routers' IPs on subnet $X are not redundant, and the packets are supposed take a secondary route if that "second hop" router goes down, since the $X default gateway will dynamically figure this out in a couple of seconds. Then the ICMP redirect becomes a redirect to /dev/null. And almost random sets of hosts will lose communications with each other for the redirect timeout duration, if they are not smart enough to implement methods of detecting the redirect is now bad. Sending ICMP redirects is not a huge security risk. ACCEPTING redirects is a larger risk. The redirects can be used by an adversary that acts as a "router", to extend the lifetime of or increase the effectiveness of an ARP hijacking or switch CAM flooding tactic, to continue to steal traffic from a host, and ensure they get every packet. The adversary with an IP on the same subnet as target hosts can use forged ICMP redirects, in order to cause hosts to misdirect packets sent to certain IPs, so that the attacker's local subnet IP address is the first hop in the path, instead of the hosts' default gateway. -- -J