ICMP Redirect

饮鸩止渴

    同事在维护solaris系统的时候发现了一些奇怪的路由，例如：
[email=root@HBapp]root@HBapp[/email]
# netstat -r
Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------
101.1.41.3            101.19.2.51            UGHD     1      1  
101.1.32.91           101.19.2.51            UGHD     1      1  
    ……
    这种路由使用route delete删除了过一会马上重新出现，man netstat可以看到D的解释：
…… and whether the route was created dynamically by a redirect (D).
    可以看到D标识是由动态的重定向产生的，在Sun的SA399里有相应描述（7-26）：
    ICMP (Routing) Redirect
ICMP provides control and error messages. ICMP on a router or gateway
attempts to send reports of problems to the original source. ICMP
datagrams are always encapsulated in IP.
ICMP redirects occur when a system uses more than one default route. If
the router determines a more efficient route, or if there is only one way to
forward the datagram, it redirects the datagram using the better or only
route and reports that route to the sender. Figure 7-9 on page 7-27 shows
an ICMP redirect process where the sys21 system needs to communicate
with the server1 system and has a default route of sys11. The
information does reach the server1 system and the sys11 system sends
an ICMP redirect to the sys21 system, telling it that the best route to the
server1 system is through the instructor system.
The sending system’s route table is updated with the new information.
The drawback to this method of routing is that for every ICMP redirect,
there is a separate entry in the sending system’s route table. This action
can lead to a large route table. However, this method of routing also
ensures that the datagrams that are going to all reachable hosts are taking
the shortest route.
Caution – An attacker might forge redirect errors to install false routes,
which might initiate a denial of service attack if the newly specified router
is not a router at all. There are rules governing valid redirect errors, all of
which can be spoofed easily. Use this ndd command to ignore IPv4 ICMP
redirect errors: ndd -set /dev/ip ip_ignore_redirect 1.
Refer to the Sun BluePrints™ document Solaris Operating Environment
Network Settings for Security, available at:
http://www.sun.com/solutions/blueprints/1200/
network-updt1.pdf.
    经过和同事讨论，发现情况是由于ICMP产生的。
    后来发现，这台主机的默认网关是2.1，但是到达101.1.32.91的路由是2.51，主机可以直达，所以路由器产生了ICMP重定向信息，如下：
[email=root@HBapp]root@HBapp[/email]
# ping 101.1.32.91
ICMP Host redirect from gateway 101.19.2.1
to 101.19.2.51 for 101.1.2.91
101.1.32.91 is alive
    这种重定向是为了减少路由器负担，因此是正常的。


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/6098/showart_27354.html