I recently ran into a site with several modules, each of which was forwarding packets. The worst case was at a rate of 1 every 2 seconds or so. Not very fast you say, but, there are 86,400 seconds in a day so in 1 day that module could be forwarding 63 megabytes (86,400 / 2 * 1472)1 of data out of your network from a “secure” server or transferring 63 megabytes of hacking tools into your secure network.
However, in most cases forwarding packets is an indication of a configuration problem, not a security breach. For example, suppose that a module has 2 IP interfaces
enet1 10.1.1.1 255.255.0.0
enet2 192.168.1.1 255.255.255.0
let’s also assume that the default router is 192.168.1.254
All hosts on the first network should have an IP address of the form 10.1.X.Y with a subnet mask of 255.255.0.0 but what if server_17 with IP address 10.1.1.17 is configured to use a subnet mask with more bits, say 255.255.255.0? It can still communicate with any host with an IP address of the form 10.1.1.X so it may not notice a problem. BUT when it sends out an IP broadcast packet it addresses that IP packet to 10.1.1.255 instead of 10.1.255.255. The Ethernet frame encapsulating that packet has the Ethernet broadcast address as its destination so the module’s Ethernet driver reads the frame and passes the packet to the IP driver. The IP driver looks at the IP address and determines that it is not addressed to enet1 or enet2 and is not 10.1.255.255, the broadcast address. If forwarding is turned on the IP driver will try to forward the packet to the host with the IP address of 10.1.1.255. If the module does not have an entry for 10.1.1.255 in its ARP cache it will transmit an ARP request. If it gets a reply (or it already has an entry) it will forward the packet to 10.1.1.255. If it does not get a reply it will drop the frame. The module may also send an ICMP routing redirect message indicating that the “router” is the host’s IP address.
What happens if server_17 uses a subnet mask with fewer bits, say 255.0.0.0? In this case the IP broadcast address it uses is 10.255.255.255. The IP driver decides that this is not an address on a network that it is connected to and forwards the packet to the default router 192.168.1.254. Not only are the module’s resources wasted but the router’s are as well. The same scenario plays out if you have two subnets in the same broadcast domain.
Finally, let’s revisit the security issue. Assume that secure server_S, has an IP address of 10.1.1.100 and the correct subnet mask of 255.255.0.0. There are no routers on the 10.1.0.0 network so how can industrial spy Eve send data from server_S to her employer out on the internet at 5.6.7.8? Simple, she just configures a host route on server_S so that any packets addressed to 5.6.7.8 are sent to 10.1.1.1. That is all it takes. The module will forward packets to the default router and assuming that IP address filtering is not done by the default router it will forward the packets to the next router, etc until they reach 5.6.7.8. There is no way for 5.6.7.8 to respond back to 10.1.1.100 but that is OK with Eve, she has other ways of confirming that the data is reaching her employer.
How can you tell if your module is forwarding packets, or at least configured to forward packets? The output from “
netstat -statistics
” will show you everything you need.
n etstat -statistics . . . ip: . . . 1 ipforwarding (ON) . . . 3117 ipForwDatagrams . . . |
If the module is configured to forward packets the
ipforwarding
variable will be 1 and the label will be suffixed with (ON). If the module is actually forwarding packets the ipForwDatagrams
counter will be incrementing. Note that the counter is incremented even if the packet is not actually transmitted because there is no ARP cache entry.
To turn off IP forwarding execute the command “
>system>stcp>command_library>IP_forwarding off
“, yes the IP is in upper case.At this point netstat -statistics will show the
ipforwarding
variable to have a value of 2 and the label will be suffixed with (OFF). Note that the ipForwDatagrams
variable is not reset; it will still show a positive value. Unfortunately, there is no way to clear the value.
n etstat -statistics . . . ip: . . . 2 ipforwarding (OFF) . . . 3117 ipForwDatagrams . . . |
One final word of caution; if forwarding is on and you turn it off and someone (other than Eve) is actually using the module as a router you will break whatever they are doing. In my opinion this is not a bad thing, STCP was no designed to be a router, but be prepared for some complaints.
————-
Notes
1 1472 is the maximum number of bytes you could put into an ICMP echo packet transmitted over Ethernet