Re: proxy attack and private vlans / NO ip redirects from Paul Stewart on 2010-09-20 (Ccielab archives 09/2010)

From: Paul Stewart <pestewart_at_gmail.com>
Date: Mon, 20 Sep 2010 05:28:22 -0400

That is correct. "no ip redirects" will not stop a router from being
used as a proxy to bypass pvlan restrictions. If a router is in a
promiscuous port, an attacker can set an arp entry for the attack
target that is equal to the target IP address, and contains the mac of
the router. The router will happily receive and forward those frames
to the target. However, the target may not be able to forward frames
back to the attacker. The fix for this is an acl. For example, let's
assume all hosts are on 192.168.1.x.

int fa0/0
ip address 192.168.1.1 255.255.255.0
ip access-group NOPROXY in

ip accss-list extended NOPROXY
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1
deny ip any 192.168.1.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 any

On Sun, Sep 19, 2010 at 8:34 PM, Tiago Lousada Soares
<tiagolousadasoares_at_gmail.com> wrote:
> Hi,
>
> I think that the "no ip redirects" just stops the router from sending ICMP
> ip redirects to the sender of the packet, it won't stop the traffic going
> through. At least that is my understanding of the command and its
> functionality. But maybe someone else can shed more light into the subject.
>
> Check the command reference:
>
> http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#wp1081518
>
> <http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#wp1081518>
> HTH,
>
> Tiago
>
> On Sat, Sep 18, 2010 at 6:42 PM, eseosa <eseosa.ehiwe_at_gmail.com> wrote:
>
>> Proxy attack is an attempt to bypass a PVLAN implementation so if a
>> question says we should stop this attack , the solutions recommended
>> by Yusuf Bhaiji is that we use an acl that denies any packet with
>> same source and destination ip address of the subnet in question or
>> DHCP snooping on the switch .
>>
>> I was thinking no ip redirects on the router interface should suffice
>> as well even though it is an overkill.
>>
>> Correct me if i am wrong.
>>
>> --
>> Warm Regards,
>>
>> Eseosa
>> CCIE #23782
>> Before God we are all equally wise - and equally foolish.
>> Albert Einstei

Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 20 2010 - 05:28:22 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART