Unecpected change default route in 9.0, 8.2

Radek Krejča radek.krejca at starnet.cz
Mon Dec 17 12:38:08 UTC 2012 

Hi, I have diskless routers, on one of theese I have problem, that default gate is changing. 

Image is clean and updated. There is no route daemon, no snmp, dhclient isnt running.

Whith resarch in cooperation in chzech bsd mailing list I get following things:

Ifconfig of this machine is:

ifconfig -a:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:25:90:a1:f5:a9
        inet 178.255.168.19 netmask 0xfffff800 broadcast 178.255.175.255
        inet6 fe80::225:90ff:fea1:f5a9%em0 prefixlen 64 scopeid 0x1
        inet6 2a02:768:0:4000::19 prefixlen 64
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:25:90:a1:f5:a8
        inet6 fe80::225:90ff:fea1:f5a8%em1 prefixlen 64 scopeid 0x3
        inet 10.1.11.1 netmask 0xfffffffc broadcast 10.1.11.3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
vlan304: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:25:90:a1:f5:a8
        inet 10.219.11.97 netmask 0xffffffe0 broadcast 10.219.11.127
        inet6 fe80::225:90ff:fea1:f5a8%vlan304 prefixlen 64 scopeid 0xb4
        inet 10.9.114.1 netmask 0xfffffffc broadcast 10.9.114.3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 304 parent interface: em1

After attack isnot affected. Ip of machine is 178.255.168.19, default route is 178.255.168.254. 
netstat -nr|less
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            178.255.168.254    UGS         0  8766645    em0

After change look like this:

netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            189.71.208.123     UGS         1 1184931064    em0

This is example, ip of gateway is random.

route monitor tells (there is other ip, route monitor runs later, on other attack).

got message of size 192 on Mon Dec 17 13:19:20 2012
RTM_DELETE: Delete Route: len 192, pid: 21546, seq 1, errno 0, flags:<GATEWAY,DONE,STATIC>
locks:  inits:
sockaddrs: <DST,GATEWAY,NETMASK>
 default 175.139.119.60 default

Is possilble, that icmp redirect can change default route? No other user, than me, are logged to system.

Thank you
Radek

More information about the freebsd-questions mailing list