Fri Dec 06, 2019 7:52 pm
As I understand it, it's really more misconfiguration than anything else. You have some remote network reachable over VPN. And attacker connected to your other interface (e.g. WAN, after conquering ISP's network), can send spoofed packets from remote network's range. And router will accept them, because why wouldn't it, that could be perfectly valid asymmetric routing config. If it's not, then there should be strict RP filter and problem solved.
Trouble is when you can't use strict RP filter, e.g. in multi-WAN config. There's loose one, but I'm not sure if it actually does anything useful. RouterOS manual says that it's RFC3704's Loose Reverse Path, but the description there is not very convincing. If I'm not misintepreting the part about default route, it sounds that if there's one, it will allow everything. I'll have to test that, or someone who knows better can save me some time and tell me.