COMMAND
kernel
SYSTEMS AFFECTED
Linux
PROBLEM
Miquel van Smoorenburg reported following problem even this is
feature of Linux (see above), but dangerous one.
A problem exists in IP Masquerade under Linux which allows
traffic to be passed to external networks even after the gateway
host has been halted. As long as a connection has been
established from an internal machine via the IP Masquerade
gateway to an external host and the Ethernet interfaces inside
the machine are still being supplied power, that connection will
stay online in a fully interactive state.
Even worse, that connection will stay online even if the IP
Masquerade gateway machine is rebooted. During a soft reboot,
the connection will stay online in a fully interactive state.
During a cold reboot, the connection will lose interactivity
until the IP Masquerade gateway machine comes back online. After
that, the connection will regain interactivity.
During an incoming or outgoing attack, systems administrators may
use the "kill switch" tactic to stop the attack and shut down the
gateway machine involved in the attack. This creates a false
sense of security with that systems administrator thinking that
the attack has been successfully stopped. In reality, the
connection in question is totally unaffected by the system
shutdown.
SOLUTION
Actually this is a feature. You can reboot a machine and not lose
most masqueraded connections. The Linux halt halts userspace. If
you want to down the network interfaces stick it in the rc files.
The latest halt and reboot of sysvinit (2.70) have a command line
switch "-i", which finds and shuts down all network interfaces.
If you get that one, and add a "-i" option to all calls to halt
and reboot in your init scripts, you're safe.
People under attack pull out cables anyway - you don't know what
your compromised machine is also doing or if "halt" is now a
member of rootkit.