[Snort-sigs] Documentation (rule #500)

dank at ...1581... dank at ...1581...
Tue Jun 10 05:33:10 EDT 2003

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909;
reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;)
An IPv4 packet set the loose source record route IP option.
Information could be gathered about network topology, and machines
routing packets onto trusted links could be abused.
Detailed Information:
Loose source record routing specifies a series of machines which must be
used in the routing of a datagram.  This can be useful to map out routes
ala the traceroute program by adding discovered intermediary routers one
at a time.  Furthermore, while a machine may normally be unreachable due
to default gateways, a compliant router can be forced to hand off source
routed packets to an intermediary capable of speaking both to the
outside world and target machines; the packet may then be forwarded on
to its destination.
Affected Systems:
Any machine fully implementing RFC 791 set up as a router.
Attack Scenarios:
By incrementing the TTL of successive packets, the topology of routes to
a host can be determined.  Each compliant node along the way will reply
with an ICMP Time Exceeded bearing their address and the recorded route.
Ease of Attack:
Tools are readily available to employ source routing for the purpose of
network discovery; the bounce attack described is unlikely to surface in
a properly configured network.
False Positives:
False Negatives:
Network discovery can be done using other means than source routing.
Corrective Action:
Redesign network topologies so that routers are kept to a minimum;
disable routing by other machines.  To prevent network mapping, don't
allow source-routed packets at all. 
Original author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
Additional References:
IP RFC:  www.faqs.org/rfcs/rfc791.html

More information about the Snort-sigs mailing list