[Snort-sigs] Documentation (#502)

dank at ...1581... dank at ...1581...
Tue Jun 10 05:33:12 EDT 2003


----------------------------------------
Rule:  
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
ssrr"; ipopts: ssrr ;reference:arachnids,422; classtype:bad-unknown;
sid:502; rev:1;)
--
Sid:
502
--
Summary:
An IPv4 packet set the strict source record route IP option.
--
Impact:
Information could be gathered about network topology, and machines
routing packets onto trusted links could be abused.
--
Detailed Information:
Strict source record routing specifies a series of machines which must be
exclusively used in the routing of a datagram.  This can be useful to map
out routes ala the traceroute program by adding discovered intermediary
routers one at a time.  Furthermore, while a machine may normally be 
unreachable due to default gateways, a compliant router can be forced to
hand off source routed packets to an intermediary capable of speaking both
to the outside world and target machines; the packet may then be forwarded
on to its destination.
--
Affected Systems:
Any machine fully implementing RFC 791 set up as a router.
--
Attack Scenarios:
By incrementing the TTL of successive packets, the topology of routes to
a host can be determined.  Each compliant node along the way will reply
with an ICMP Time Exceeded bearing their address and the recorded route.
--
Ease of Attack:
Tools are readily available to employ source routing for the purpose of
network discovery; the bounce attack described is unlikely to surface in
a properly configured network.
--
False Positives:
None
--
False Negatives:
Network discovery can be done using other means than source routing.
--
Corrective Action:
Redesign network topologies so that routers are kept to a minimum;
disable routing by other machines.  To prevent network mapping, don't
allow source-routed packets at all. 
--
Contributors:
Original author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
-- 
Additional References:
IP RFC:  www.faqs.org/rfcs/rfc791.html
----------------------------------------

-- 
nick black <dank at ...1582...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo




More information about the Snort-sigs mailing list