Ask the Expert

IP source routing and security issues

I want to make my Internet gateway as secure as possible. I remember someone telling me about source routing and how it is a common exploit. What is it and how do I handle it?
Router

    Requires Free Membership to View

software examines IP header options on every packet. There are IP header options Strict Source Route, Loose Source Route,...  ...Record Route, and Time Stamp, which are defined in RFC 791. If the software finds a packet with one of these options enabled, it performs the appropriate action. If it finds a packet with an invalid option, it sends an ICMP Parameter Problem message to the source of the packet and discards the packet.

IP provides a provision that allows the source IP host to specify a route through the IP network. This provision is known as source routing. Source routing is specified as an option in the IP header. If source routing is specified, the software forwards the packet according to the specified source route. This feature is employed when you want to force a packet to take a certain route through the network. The default is to perform source routing.

Some people like to use source routing to troubleshoot their network -- especially when routing is broken on their network.

As a general rule of thumb, if you are not using IP source routing, turn it off, as it is a well-known security vulnerability used in attacks against a system.


This was first published in April 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: