[Snort-sigs] Documentation (rule #500)
dank at ...1581...
dank at ...1581...
Tue Jun 10 05:33:10 EDT 2003
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909;
reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;)
An IPv4 packet set the loose source record route IP option.
Information could be gathered about network topology, and machines
routing packets onto trusted links could be abused.
Loose source record routing specifies a series of machines which must be
used in the routing of a datagram. This can be useful to map out routes
ala the traceroute program by adding discovered intermediary routers one
at a time. Furthermore, while a machine may normally be unreachable due
to default gateways, a compliant router can be forced to hand off source
routed packets to an intermediary capable of speaking both to the
outside world and target machines; the packet may then be forwarded on
to its destination.
Any machine fully implementing RFC 791 set up as a router.
By incrementing the TTL of successive packets, the topology of routes to
a host can be determined. Each compliant node along the way will reply
with an ICMP Time Exceeded bearing their address and the recorded route.
Ease of Attack:
Tools are readily available to employ source routing for the purpose of
network discovery; the bounce attack described is unlikely to surface in
a properly configured network.
Network discovery can be done using other means than source routing.
Redesign network topologies so that routers are kept to a minimum;
disable routing by other machines. To prevent network mapping, don't
allow source-routed packets at all.
Original author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
IP RFC: www.faqs.org/rfcs/rfc791.html
More information about the Snort-sigs