GEN:SID 1:500
Message MISC source route lssr
Summary This event is generated when an IPv4 packet has the loose source record
route IP option set.
Impact Information could be gathered about network topology, and machines
routing packets onto trusted links could be abused.
Detailed Information Loose source record routing specifies a series of machines which must be
used in the routing of a datagram.  This can be useful to map out routes
using the traceroute program by adding discovered intermediary routers
one at a time.  Furthermore, while a machine may normally be unreachable
due to default gateways, a compliant router can be forced to hand off
source routed packets to an intermediary capable of speaking both to the
outside world and target machines; the packet may then be forwarded on
to its destination.
Affected Systems Any machine fully implementing RFC 791 set up as a router.
Attack Scenarios By incrementing the TTL of successive packets, the topology of routes to
a host can be determined.  Each compliant node along the way will reply
with an ICMP Time Exceeded bearing their address and the recorded route.
Ease of Attack Tools are readily available to employ source routing for the purpose of
network discovery; the bounce attack described is unlikely to surface in
a properly configured network.
Corrective Action Redesign network topologies so that routers are kept to a minimum;
disable routing by other machines.  To prevent network mapping, don't
allow source-routed packets at all.
Additional References IP RFC:
http://www.faqs.org/rfcs/rfc791.html
Rule References url: www.microsoft.com/technet/security/bulletin/MS99-038.mspx
cve: 1999-0909
bugtraq: 646
arachnids: 418