[c-nsp] DNS amplification
"Rolf Hanßen"
nsp at rhanssen.de
Tue May 14 10:14:49 EDT 2013
Hello Nick,
guess I did not understand what source IP is allowed with "allow-self-ping".
I just tried out with that setup:
Attacking server somewhere in 1.0.0.0/24 connected to Sup2T with 1.0.0.1
and 1.0.0.2 (hard-coded + HSRP).
Target is 2.0.0.123 (connected somewhere else).
No matter if allow-self-ping is set or not, packets with those sources are
dropped:
1.0.0.1
1.0.0.2
1.0.0.255
2.0.0.123
Only source=1.0.0.3-254 works, that looks like correct behaviour to me.
What additional spoofed IP(s) could be used in that case with
allow-self-ping set ?
kind regards
Rolf
> On 08/05/2013 15:06, "Rolf Hanßen" wrote:
>> R2(config-if)#ip verify unicast source reachable-via rx ?
>> ...
>> allow-self-ping Allow router to ping itself (opens vulnerability in
>> verification)
>> l2-src Check packets arrive with correct L2 source address
>>
>> What kind of vulnerability is that ? Just for my interest, I do not need
>> to ping myself usually. ;)
>
> In order to ping an interface address, the packet needs to go through the
> normal packet forwarding process. This includes a urpf check. As the
> ping
> packet does not come from the interface itself, it will fail a urpf check
> and the packet will be dropped unless "allow-self-ping" is enabled. If
> you
> enable "allow-self-ping", the vulnerability is that you can also send
> packets to the router with srcip=dstip and they will pass the urpf check.
>
> Nick
>
>
>
More information about the cisco-nsp
mailing list