GEN:SID | 1:500 |
Message | MISC source route lssr |
Summary | This event is generated when an IPv4 packet has the loose source record route IP option set. |
Impact | Information could be gathered about network topology, and machines routing packets onto trusted links could be abused. |
Detailed Information | Loose source record routing specifies a series of machines which must be used in the routing of a datagram. This can be useful to map out routes using the traceroute program by adding discovered intermediary routers one at a time. Furthermore, while a machine may normally be unreachable due to default gateways, a compliant router can be forced to hand off source routed packets to an intermediary capable of speaking both to the outside world and target machines; the packet may then be forwarded on to its destination. |
Affected Systems | Any machine fully implementing RFC 791 set up as a router. |
Attack Scenarios | By incrementing the TTL of successive packets, the topology of routes to a host can be determined. Each compliant node along the way will reply with an ICMP Time Exceeded bearing their address and the recorded route. |
Ease of Attack | Tools are readily available to employ source routing for the purpose of network discovery; the bounce attack described is unlikely to surface in a properly configured network. |
Corrective Action | Redesign network topologies so that routers are kept to a minimum; disable routing by other machines. To prevent network mapping, don't allow source-routed packets at all. |
Additional References | IP RFC: http://www.faqs.org/rfcs/rfc791.html
|
Rule References | url: www.microsoft.com/technet/security/bulletin/MS99-038.mspx
cve: 1999-0909
bugtraq: 646
arachnids: 418
|