linux security - Apr 1997 - [LINUX] IP_MASQ / Ethernet Passing Traffic After Halt

-----BEGIN PGP SIGNED MESSAGE-----


                                                        Friday, April 11, 1997
                                                                 The Litterbox
                                          Sean B. Hamor
<hamors@litterbox.org>
                                                           LINUX IP MASQUERADE

Synopsis:

  A problem exists in IP Masquerade under Linux which allows traffic to be
  passed to external networks even after the gateway host has been halted.
  As long as a connection has been established from an internal machine via
  the IP Masquerade gateway to an external host and the Ethernet interfaces
  inside the machine are still being supplied power, that connection will
  stay online in a fully interactive state.

  Even worse, that connection will stay online even if the IP Masquerade
  gateway machine is rebooted.  During a soft reboot, the connection will
  stay online in a fully interactive state.  During a cold reboot, the
  connection will lose interactivity until the IP Masquerade gateway machine
  comes back online.  After that, the connection will regain interactivity.

Impact:

  During an incoming or outgoing attack, systems administrators may use the
  "kill switch" tactic to stop the attack and shut down the gateway
machine
  involved in the attack.  This creates a false sense of security with that
  systems administrator thinking that the attack has been successfully
  stopped.  In reality, the connection in question is totally unaffected by
  the system shutdown.

EOF

   /\_/\   http://www.litterbox.org/~hamors/pgp.txt         To err is human.
  ( o.o )          for PGP public key block                  To purr feline.
   > ^ <     Sean B. Hamor <hamors@litterbox.org>             -
Robert Byrne
  The Litterbox:  http://www.litterbox.org/   Homeless and Abused Pet Rescue

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBM08HdjU6HlxZIJ+FAQGnMwf/Sxj4pKkMvdJMXKFDKerw6EZHU22edZaW
7CtQ8it2iaw5sjs0wkf6GIUY8Nh9sDP32tOZsJn5YCC19drGjPLYn0AbIRsoYcwk
MwUIZOge/8K2kdashLbKYuou/g081ro/ADXhbcKxwT5p/01S1SlyT3DsOEubdb2K
/qPaUvo6ErDhIjIdnf4fgTg76MhUlmHP56nWdUc8XwtDA+pu56eZy6vVb7iy/XTS
//ccSL8DPZ+nJurfexmaxA4FwDvAKX6eA0sFdUJHxq223mZu6JlVrl6W74yChgRR
VqFIQFATtBntLlfvkSQhq/AgAyIY8ETh/DC0qFJuw1ORSjy0WHiszg==57ov
-----END PGP SIGNATURE-----

[Mod: that is all great but...

<SOAPBOX>

Please take this message with a grain of sault because there are at least a
couple of problems with what is being secribed in it.

A) This would have been a big problem for _firewalling_ code, not for
masquerading. I hope that is clear

B) When machine is rebooted connections go away. Tested on 2.0.27 kernel.

</SOAPBOX>

So no because of (A) and (B) it works excactly like it should

--alex ]

>   Even worse, that connection will stay online even if the IP Masquerade
>   gateway machine is rebooted.  During a soft reboot, the connection will
>   stay online in a fully interactive state.  During a cold reboot, the
Actually its a feature. Its called "stateless" - like IP itself is. It
gives you nice fault tolerance.
>   During an incoming or outgoing attack, systems administrators may use the
>   "kill switch" tactic to stop the attack and shut down the
gateway machine
>   involved in the attack.  This creates a false sense of security with that
>   systems administrator thinking that the attack has been successfully
>   stopped.  In reality, the connection in question is totally unaffected by
>   the system shutdown.
Anyone who simply uses shutdown on an attacked machine is a fool. You
have no idea what the cracker has done to your halt program. Use the BRS
or pull out the cables.

If you want the Linux halt in the normal case to shutdown your network
interfaces then ifconfig them down in the rc scripts.

Alan

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 13 Apr 1997, Alan Cox wrote:

# Anyone who simply uses shutdown on an attacked machine is a fool. You
# have no idea what the cracker has done to your halt program. Use the BRS
# or pull out the cables.

You know that, and I know that, but do you really think that the average
admin knows that?

# If you want the Linux halt in the normal case to shutdown your network
# interfaces then ifconfig them down in the rc scripts.

Which I have now done.  I have also been told that there is a "-i"
flag in
shutdown that will ifconfig down all network interfaces before halt.

   /\_/\   http://www.litterbox.org/~hamors/pgp.txt         To err is human.
  ( o.o )          for PGP public key block                  To purr feline.
   > ^ <     Sean B. Hamor <hamors@litterbox.org>             -
Robert Byrne
  The Litterbox:  http://www.litterbox.org/   Homeless and Abused Pet Rescue

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBM1ERRjU6HlxZIJ+FAQGVNwf/RRJZ17dyAjDvV7VmS0TeTpwXluuNDcEe
APa95JjVs+ruCpObPkgZ1MnvRSbo7MmYfj5WHeU+2+1IcaMQ5tu1++v7qLxRkRbw
XvCEQ3gRvretD2bwphUBLNvpZu3C5vDageXIYuj/hyqVXVPqkqmrYnweb7V4bt2X
xRDHYH+EMJJbor78hujzwVwgCeU2fZsYJ/1p4bB0/y5hJT3EAwYMk3XCf2vV0nLK
K+8KUmaix1JKptddO7LrF+z4KuezM1+SUbu5/lbsrBAlG7qH49rBCsJFo+sM0g3n
LDYEUVOeJcLM0j1+OdlHiDRysb9jvmDs3o1vkXMHSq+uc4kebUlRkw==XUlN
-----END PGP SIGNATURE-----

Sean B. Hamor wrote:
>
> On Sun, 13 Apr 1997, Alan Cox wrote:
>
> # Anyone who simply uses shutdown on an attacked machine is a fool. You
> # have no idea what the cracker has done to your halt program. Use the BRS
> # or pull out the cables.
>
> You know that, and I know that, but do you really think that the average
> admin knows that?
On the other hand, a shutdown-ed router is still routing, but you could
just as well have turned it really off.

Anyway, I''ve known for years, that a router will keep on routing even
when it has been shutdown.
anecdote: "ext2fs panic: cannot read block from disk" was on the
console. The router was still functioning. A reboot killed the
forwarding, and the sysop had to buy and install a new HD on short
notice.

Note: It is not true that a warm reboot will not stop the machine from
routing at all. From the moment that the bios kicks in ("xxx bios
version xxx") to the moment that the routing rules are configured the
router will be "down". (about 30 seconds on a correctly configured
linux-router)
> # If you want the Linux halt in the normal case to shutdown your network
> # interfaces then ifconfig them down in the rc scripts.
>
> Which I have now done.  I have also been told that there is a
"-i" flag in
> shutdown that will ifconfig down all network interfaces before halt.
This is default on Red Hat.

Roger.

P.S. Subject closed.