[Full-Disclosure] Linux problem, steal of IP and traffinc redirection could bypass a firewall

[NetExpress <NetExpress@xxxxxxxxxx>]

Hi, I am wondering why linux do not recognize if someone steal it's IP,

this could be a serious security problem.
infact linux, Instead of Windows and freebsd and other operative system,
when  boot or give up a virtual IP on an interface do not send gratious
arp but only ask for the gateway arp and than answer to the query for it's
IP.

Because of this, If I have a gateway, with IP IPA, and set a desktop/server
on the lan with the same ip IPA, when it start it will be the new gateway
for the all network.

but try:
- Suppose the gateway is in high availability, it will have phisical IP
and a logical IP the logical one is  known from the host of lan as default
gateway.
- Suppose to set a server/desktop with a virtual IP eth0:1 with the logical
IP of the real gateway,  send a broadcast arp, set ip_forward=1, and route
all the traffic to  the phisical IP of the original  gateway.
- Now there is a new gateway for all host on the net, and the real gateway
will trust (with the trust I have on my server) the traffic that I forward
to his because it come form a trusted real IP , 

With this  I have create a by-pass of the firewall!!! this is not good!,
I could se all traffic, make a man in the middle, see the database data
userid e password and so on.
But the worst is that if it happen on a DMZ I could create a big DOS, without
someone thinks the gateway IP has been steal form someother!

If linux would send a gratious arp when it give up an IP  real or virtaul
this problem will not be possible, because it could not bind a IP that is
already present on the net.


Alessandro Fiorenzi aka NetExpress

fiorenzi@xxxxxxxxxx
http://web.tiscali.it/Fiorenzi


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html