North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Another question on rfc1918
The text below is from a 'security' list in reply to me questioning his statement, "Thus it is possible to route "private" address ranges."
I'd be interested in hearing comments from this group if it's on-topic.
Michael, Lets take an example:
Attacker --- ISP1---cloud---ISP2---Target.Router---Target.Host
If I can source route a packet to ISP2 this will forward the packet via target.router to the target host. It does not matter that target.router filters source route. Most ISP routers (and I have seen configs for over 1000 of them and only seen source route blocked on less then 10 of these! ) do not filter source routing (ie no "no ip source-route" entry). As a result, source routed packets float about the Internet.
Additionally, "most" ISPs do not have egress filters for private addressing. They allow these packets as a source address on packets.
Many tools (even NC - Netcat) support a source route option. This allows the attacker to select the path that is taken to the host and also the return path. So setting the attack up the attacker will source route to ISP2 which will be the last router outside the target's router. As this is a default gateway for the target, all packets are sent from it to the ISP unless egress filters are placed on Target.router.
Though the packets would normally "float" around the internet until their TTL expires them, they have been source routed. As such, ISP2 will have a "memory" of where to send them if it received the packet. Now remember that all packets come out of target.router to ISP2. So all packets make it to ISP2.
Due to source routing, packets sent to ISP2 follow the reverse of the source route used to reach ISP2 and return to the attacker - even though they are using a "non-routed" address.
Source route allows the packets to follow a set path. It does not require the standard routing protocols and is thus dangerous. Source routing is used in a number of multicast protocols (still) and many are loath to disable it.
There are two primary types of source routing - Loose Source Routing and Strict Source Routing. I would suggest a read of RFC 791. In strict source routing, the sender specifies the exact route the packet must take. Have a read of: http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Source_Routing/default.htm
Clear as mud?
Quote: "Source routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take. Source routing is useful when the default route that a connection will take fails or is suboptimal for some reason, or for network diagnostic purposes. For more information on source routing, see RFC791."
 Disclaimer 1. I do not do much work with ISPs these days and they may have cleaned up their act in the last 5 years - though I doubt it.