GEN:SID 1:502
Message MISC source route ssrr
Summary This event is generated when an IPv4 packet set the strict source record
route IP option.
Impact Information could be gathered about network topology, and machines
routing packets onto trusted links could be abused.
Detailed Information Strict source record routing specifies a series of machines which must
be exclusively used in the routing of a datagram.  This can be useful to
map out routes ala the traceroute program by adding discovered
intermediary routers one at a time.  Furthermore, while a machine may
normally be unreachable due to default gateways, a compliant router can
be forced to hand off source routed packets to an intermediary capable
of speaking both to the outside world and target machines; the packet
may then be forwarded on to its destination.
Affected Systems Any machine fully implementing RFC 791 set up as a router.
Attack Scenarios By incrementing the TTL of successive packets, the topology of routes to
a host can be determined.  Each compliant node along the way will reply
with an ICMP Time Exceeded bearing their address and the recorded route.
Ease of Attack Tools are readily available to employ source routing for the purpose of
network discovery; the bounce attack described is unlikely to surface in
a properly configured network.
Corrective Action Redesign network topologies so that routers are kept to a minimum;
disable routing by other machines.  To prevent network mapping, don't
allow source-routed packets at all.
Additional References IP RFC:
www.faqs.org/rfcs/rfc791.html
Rule References arachnids: 422