IRDP Security Vulnerability in Windows 9x
2003-03-29 (updated: 2019-05-22) by Philip
The ICMP Router Discovery Protocol (IRDP, RFC 1256) comes enabled by default on DHCP clients that are running MS Windows 9x, Windows ME and Windows 2000 machines. Using router discovery, clients dynamically discover routers and can switch to backup routers if a network failure or administrative change is needed. However, by spoofing IRDP Router advertisements, a potential attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server on Windows 9x/ME systems. The problem is not in IRDP itself, but rather that MS platforms use it even when DHCP is enabled and the DHCP setup specifies router information. To disable this vulnerability, you need to add the following entry to the Registry. This is intended for advanced users, please backup your Registry before making any changes.
Windows 9x / ME:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesClassNetTrans00n (Where "000n" is your TCP/IP protocol. It contains "TCP/IP" assigned to the "DriverDesc" Value)
PerformRouterDiscovery="0" (DWORD value) Note: Although according to Microsoft's documentation the value should be DWORD, they have moved to string values for most TCP/IP related Registry entries in Windows 98, so the documentation on the value type could be wrong.
Windows 2000:
HKLMSYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface
PerformRouterDiscovery="0" (REG_DWORD, range 0,1,2, 0=disabled, 1=enabled, 2=enable only if DHCP sends the router discover option)
Note: IRDP support is disabled by default on NT4, and enabled on Windows 2000.
References:
MSKB 216141 - How to disable IRDP in Windows 9x