Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:502 |
Message | MISC source route ssrr |
Summary | This event is generated when an IPv4 packet set the strict source record route IP option. |
Impact | Information could be gathered about network topology, and machines routing packets onto trusted links could be abused. |
Detailed Information | Strict source record routing specifies a series of machines which must be exclusively used in the routing of a datagram. This can be useful to map out routes ala the traceroute program by adding discovered intermediary routers one at a time. Furthermore, while a machine may normally be unreachable due to default gateways, a compliant router can be forced to hand off source routed packets to an intermediary capable of speaking both to the outside world and target machines; the packet may then be forwarded on to its destination. |
Affected Systems | Any machine fully implementing RFC 791 set up as a router. |
Attack Scenarios | By incrementing the TTL of successive packets, the topology of routes to a host can be determined. Each compliant node along the way will reply with an ICMP Time Exceeded bearing their address and the recorded route. |
Ease of Attack | Tools are readily available to employ source routing for the purpose of network discovery; the bounce attack described is unlikely to surface in a properly configured network. |
Corrective Action | Redesign network topologies so that routers are kept to a minimum; disable routing by other machines. To prevent network mapping, don't allow source-routed packets at all. |
Additional References | IP RFC: www.faqs.org/rfcs/rfc791.html |
Rule References | arachnids: 422 |
--
DID:387179
--
http://www.aanval.com/