[Snort-sigs] Documentation (#502)

dank at ...1581... dank at ...1581...
Tue Jun 10 05:33:12 EDT 2003

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
ssrr"; ipopts: ssrr ;reference:arachnids,422; classtype:bad-unknown;
sid:502; rev:1;)
An IPv4 packet set the strict source record route IP option.
Information could be gathered about network topology, and machines
routing packets onto trusted links could be abused.
Detailed Information:
Strict source record routing specifies a series of machines which must be
exclusively used in the routing of a datagram.  This can be useful to map
out routes ala the traceroute program by adding discovered intermediary
routers one at a time.  Furthermore, while a machine may normally be 
unreachable due to default gateways, a compliant router can be forced to
hand off source routed packets to an intermediary capable of speaking both
to the outside world and target machines; the packet may then be forwarded
on to its destination.
Affected Systems:
Any machine fully implementing RFC 791 set up as a router.
Attack Scenarios:
By incrementing the TTL of successive packets, the topology of routes to
a host can be determined.  Each compliant node along the way will reply
with an ICMP Time Exceeded bearing their address and the recorded route.
Ease of Attack:
Tools are readily available to employ source routing for the purpose of
network discovery; the bounce attack described is unlikely to surface in
a properly configured network.
False Positives:
False Negatives:
Network discovery can be done using other means than source routing.
Corrective Action:
Redesign network topologies so that routers are kept to a minimum;
disable routing by other machines.  To prevent network mapping, don't
allow source-routed packets at all. 
Original author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
Additional References:
IP RFC:  www.faqs.org/rfcs/rfc791.html

nick black <dank at ...1582...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo

More information about the Snort-sigs mailing list