Preface: IP source routeLogo -Internet Security Systems

IP source route
advICE :Intrusions : 2000013
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Intruder is using "source routing" in order to break into the system.

Details

The "source routing" feature of TCP/IP allows the sender of network traffic to force the traffic to be routed through a certain point on the network. This is useful because it allows intruders to force packets to travel in unexpected directions.

For example, many organizations and home users use private addresses like 192.168.x.x. These addresses are not normally reachable on the Internet, yet intruders can still reach them by source routing through a machine that supports source routing.

False Positives

Some network management utilities employ source routing in order to map the network. You can set "trust" levels on the intrusion detection system in order to mask these events from those platforms.

Defense

Most systems allow source routing to be disabled. Follow the links below in order to implement this on your routers and end-nodes.

 more information
BugtraqID: 646   Microsoft Windows IP Source Routing Vulnerability
 
advICE: source routing  
Explains the technical details behind source routing and how it can be used to attack the system.  
q238453   Data in Route Pointer Field Can Bypass Source Routing Disable
Describes a problem where an intruder can reach one interface on a machine by sending traffic to another interface using source routing. This applies even when "routing" is turned off.  
Microsoft Security Bulletin (MS99-038): FAQ  
Some questions/answers about this problem.  
CVE-1999-0305   BSD sysctl control does not properly restrict source routing.
 

 parametric information
route The route is shown in the parameter field. It is likely that the attacker is one of the machines specified in that route. 

 
Version appeared:
Privacy Policy |  Copyright Info