From owner-freebsd-security Fri Aug 25 8:25:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from web4705.mail.yahoo.com (web4705.mail.yahoo.com [216.115.105.205]) by hub.freebsd.org (Postfix) with SMTP id 0A36C37B443 for ; Fri, 25 Aug 2000 08:25:46 -0700 (PDT) Message-ID: <20000825152545.26247.qmail@web4705.mail.yahoo.com> Received: from [208.176.100.135] by web4705.mail.yahoo.com; Fri, 25 Aug 2000 08:25:45 PDT Date: Fri, 25 Aug 2000 08:25:45 -0700 (PDT) From: Kurt Wuensche Subject: Re: Route strangeness To: "tjk@tksoft.com" Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --- "tjk@tksoft.com" wrote: > Kurt, > > 1. I presume you have a dialup connection with ppp. > Can you detail your outside connections? I.e. > do you also have a local LAN, etc.. Yes, it is ppp, but I have a fulltime-dedicated dailup connection. I have a local LAN w/ a class H address and a couple of machines on it that use the 2.2.5 box as a gateway. Been running this way for 2 years w/ no problems. > 2. Do you have other routers on any of your local > networks No routers or gateways on my little LAN. > 3. Did you do try tcpdump while doing the pings, and > while > connecting with telnet? What did you see on the > ppp > interface? Did you see packets going to other > interfaces? Unfortunately I was at work when I did the "remote" ping and wasn't logged into the system to see tcpdump. Packets can still move on my LAN and to my gateway on the ISP. > 4. Did you try "traceroute -n" to the router, and to > the > outside address? Traceroute from outside shows the packets getting to the ISP gateway, but time out when they should be returing from me. Traceroute from the 2.2.5 machine fails past the ISP gateway. Unfortunately I don't yet have logs of the exact error (cant remember if it was not route to host or just a timeout) > 5. Do you have any firewalling enabled? No firewalling is enabled. > 6. Does your ISP have firewalling enabled? Badly > configured > smurf rules which block all ICMP packets, etc. > misconfigurations? They tell me they do not accept ICMP redirects. I do not know if they run a firewall, but they told me they have changed nothing on my setup since this problem started occuring. I have been searching the archives, re-reading CERT, and still have not found reference to this type of attack, but since the system has been running solid for over two years and no routing or configuration changes have been made, I can only conclude that this is an attack-ppp bugs surely would have surfaced by now. The fact that its happening to my friend with 2.2.8, further eliminates the possibility of bad hardware. The fact that ping and traceroute timeout, but a telnet login can occur after a two or three minute delay tells me that basic routing must be intact. As I mentioned, the problem is intermittent, but I am developing some time slice logging scripts to capture tcpdump/netstat -s/ping/traceroute messages so I can correlate the timing of any events here. Thanks, Kurt __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message