RE: Defualt ip address out

  (As you can see, I had some trouble reading your message beyond the first line or two...)

  I recently had to dig into a case where the default route on a router was changing "by itself".

  The problem wasn't really with that router, but with one of its neighbors (a Cisco box), and an interaction between a couple of configuration options and some traffic we were receiving.

  The first problem was with this config:

 no ip redirects

which was missing from our interface configurations. Without this, if the router received any traffic that it routed back out the same interface, it would send an "ICMP redirect" message to the neighbour. The neighbour, seeing that a packet it forwarded elicited a redirect, updated the route table entry it had used, which in this case was the default.

  The second problem was

ip classless

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  Looks harmless enough, but it means that any traffic to parts of our overall block for which we don't have a route will get forwarded to the default. (If we'd had "no ip classless", packets to our block without a route would be dropped.)
  (Note that the default gateway would see that the destination was within our address block, and hand it right back, back and forth until the packet's TTL expired. The changing default route was not really the only bad side effect!)   This is what was causing some "inbound" packets to get redirected to the outbound default gateway. The fix for this was to add a static summary route black-holing anything not handled by a more explicit route.

  This all had appeared to work fine, until anything scanned our entire address space. Sooner or later, one of the scan packets would be trying for an unpopulated subnet, and that would trigger the redirect.

David Gillett

> -----Original Message-----