host ignores redirects -- attack?

host ignores redirects -- attack?

Post by Joe Pfeiffe » Wed, 26 Dec 2001 10:40:45



For historical reasons, three static IP addresses which I don't in
fact use are routed by my ISP to my firewall machine.  I upgraded that
machine from 2.2.17 to 2.4.16 on Saturday.  My firewall is configured
to log packets coming to any of those addresses, and drop them.

Today, I've noticed several messages appearing in my logs similar to:

Dec 24 18:07:31 pinky kernel: host 144.232.9.154/if48 ignores redirects for 216.234.199.15 to 216.234.199.15.

(216.234.199.15 is one of the IP addresses getting routed to me).
I've seen them for all of the addresses routed to me other than my
actual firewall address, and with a variety of sites identified as
ignoring redirects.  Some of those sites don't seem to have a reverse
DNS mapping (including the one in the message above); others are
things like 0.so-1-0-0.TL2.LAX9.ALTER.NET.

Anybody know what's happening?
--
Joseph J. Pfeiffer, Jr., Ph.D.       Phone -- (505) 646-1605
Department of Computer Science       FAX   -- (505) 646-1002
New Mexico State University          http://www.cs.nmsu.edu/~pfeiffer
Southwestern NM Regional Science and Engr Fair:  http://www.nmsu.edu/~scifair

 
 
 

host ignores redirects -- attack?

Post by Dean Thompso » Thu, 27 Dec 2001 11:37:18


Hi!,

Quote:> For historical reasons, three static IP addresses which I don't in
> fact use are routed by my ISP to my firewall machine.  I upgraded that
> machine from 2.2.17 to 2.4.16 on Saturday.  My firewall is configured
> to log packets coming to any of those addresses, and drop them.

> Today, I've noticed several messages appearing in my logs similar to:

> Dec 24 18:07:31 pinky kernel: host 144.232.9.154/if48 ignores redirects for 216.234.199.15 to 216.234.199.15.

> (216.234.199.15 is one of the IP addresses getting routed to me).
> I've seen them for all of the addresses routed to me other than my
> actual firewall address, and with a variety of sites identified as
> ignoring redirects.  Some of those sites don't seem to have a reverse
> DNS mapping (including the one in the message above); others are
> things like 0.so-1-0-0.TL2.LAX9.ALTER.NET.

> Anybody know what's happening?

Is your machine actually configured to receive these packets and reject them
(in other words are there interfaces open for these IP addresses, or are these
packets just hitting your known IP address) ?

To me it seems to suggest that iptables is telling you that it is receiving
these IP addresses, but they aren't for your machine and hence will ignore the
packets.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

host ignores redirects -- attack?

Post by Joe Pfeiffe » Thu, 27 Dec 2001 12:33:31



> Is your machine actually configured to receive these packets and reject them
> (in other words are there interfaces open for these IP addresses, or are these
> packets just hitting your known IP address) ?

The 216.234.199.14 etc. addresses have no interfaces open -- my IP
tables will spot anything coming in for them, and drop them on the
floor (unless I've got a bug I don't know about, of course!).  But
that raises the question of where the messages I'm seeing are actually
coming from -- my IP tables log messages don't use that format.  It
almost seems like the packets themselves have to have been addressed
to my firewall....  I still don't know what's going on, but that gives
me something else to look at...

Quote:> To me it seems to suggest that iptables is telling you that it is receiving
> these IP addresses, but they aren't for your machine and hence will ignore the
> packets.

Except it seems like it's the remote host getting the redirect telling
me it's ignoring it...

Quote:> See ya

Thanks
--
Joseph J. Pfeiffer, Jr., Ph.D.       Phone -- (505) 646-1605
Department of Computer Science       FAX   -- (505) 646-1002
New Mexico State University          http://www.cs.nmsu.edu/~pfeiffer
Southwestern NM Regional Science and Engr Fair:  http://www.nmsu.edu/~scifair
 
 
 

host ignores redirects -- attack?

Post by Dean Thompso » Thu, 27 Dec 2001 20:41:37


Hi!,



>>Is your machine actually configured to receive these packets and reject
>>them (in other words are there interfaces open for these IP addresses, or
>>are these packets just hitting your known IP address) ?

> The 216.234.199.14 etc. addresses have no interfaces open -- my IP
> tables will spot anything coming in for them, and drop them on the
> floor (unless I've got a bug I don't know about, of course!).  But
> that raises the question of where the messages I'm seeing are actually
> coming from -- my IP tables log messages don't use that format.  It
> almost seems like the packets themselves have to have been addressed
> to my firewall....  I still don't know what's going on, but that gives
> me something else to look at...

Can't say for certain, but the packets might be being dropped at the point
where the iptables module is actually interfacing with the kernel, rather than
your rules being parsed.  This would explain why your log format isn't being
followed or that your rules are not being processed.

Quote:

>> To me it seems to suggest that iptables is telling you that it is
>> receiving these IP addresses, but they aren't for your machine and hence
>> will ignore the> packets.

> Except it seems like it's the remote host getting the redirect telling
> me it's ignoring it...

It is quite possible that iptables is sending back a REJECT to the remote host
to ignore it.  One way or test to perform would be to insert a couple of
proxyarp statements on your iptables machine for the repsecitve IP addresses,
and then see whether iptables will deal with the drop internally.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. virtual host redirecting to real host

Hi all,

I'm trying to use virtualhost for the 1st time and I'm having problems.
All I want is to redirect whoever tries to reach wwwold.kuku.com (old
site name) to wwwnew.kuku.com (new site name).
both www and www1 are aliases of the server's machine.

I tried this:
<VirtualHost wwwold.kuku.com>
ServerName wwwold.kuku.com
Redirect 301 / http://wwwnew.kuku.com/
</VirtualHost>

But it doesn't work. Both domains now return a page that say that the
server is now redirected to http://wwwnew.kuku.com/
What am I missing?

TIA

--
        Anat Rozenzon

o`o?,??,?o`o?,??,?o`o?,??,?o`o?,??
API/Intranet team            Tel:    +972-8-9134480
Telrad Ltd.                  Fax:    +972-8-9133487

?,??,?o`o?,??,?o`o?,??,?o`o?,??,?o`

2. Linux Frequently Asked Questions with Answers (Part 3 of 6)

3. Please ignore - testing for source of spam attacks

4. dvd

5. 1.3.x: ICMP redirect ignored, bug or feature ?

6. Page not found error 404 - Please help

7. ICMP redirects at eth0 ignored by 1.3.x kernels, why?

8. The structure of executables

9. bash "read -a" ignores redirected input -- why?

10. ncsa 1.5.2 ignores some redirects, finds files it shouldn't

11. How to Ignore Redirects on a 4.1.5 system

12. How to ignore a REDIRECT from a router??

13. ICMP redirect from xxx.xxx.xxx.xxx on eth0 ignored