North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Another question on rfc1918

  • From: Michael Painter
  • Date: Fri Nov 23 16:54:22 2007

The text below is from a 'security' list in reply to me questioning his statement, "Thus it is possible to route "private" address ranges."
I'd be interested in hearing comments from this group if it's on-topic.



Lets take an example:

Attacker --- ISP1---cloud---ISP2---Target.Router---Target.Host

If I can source route a packet to ISP2 this will forward the packet via
target.router to the target host. It does not matter that target.router
filters source route. Most ISP routers (and I have seen configs for over
1000 of them and only seen source route blocked on less then 10 of these!
[1]) do not filter source routing (ie no "no ip source-route" entry). As
a result, source routed packets float about the Internet.

Additionally, "most" ISPs do not have egress filters for private
addressing. They allow these packets as a source address on packets.

Many tools (even NC - Netcat) support a source route option. This allows
the attacker to select the path that is taken to the host and also the
return path. So setting the attack up the attacker will source route to
ISP2 which will be the last router outside the target's router. As this
is a default gateway for the target, all packets are sent from it to the
ISP unless egress filters are placed on Target.router.

Though the packets would normally "float" around the internet until
their TTL expires them, they have been source routed. As such, ISP2 will
have a "memory" of where to send them if it received the packet. Now
remember that all packets come out of target.router to ISP2. So all
packets make it to ISP2.

Due to source routing, packets sent to ISP2 follow the reverse of the
source route used to reach ISP2 and return to the attacker - even though
they are using a "non-routed" address.

Source route allows the packets to follow a set path. It does not
require the standard routing protocols and is thus dangerous. Source
routing is used in a number of multicast protocols (still) and many are
loath to disable it.

There are two primary types of source routing - Loose Source Routing and
Strict Source Routing. I would suggest a read of RFC 791. In strict
source routing, the sender specifies the exact route the packet must
take. Have a read of:

Clear as mud?


"Source routing is an IP option which allows the originator of a packet
to specify what path that packet will take, and what path return packets
sent back to the originator will take. Source routing is useful when the
default route that a connection will take fails or is suboptimal for
some reason, or for network diagnostic purposes. For more information on
source routing, see RFC791."

[1] Disclaimer 1. I do not do much work with ISPs these days and they
may have cleaned up their act in the last 5 years - though I doubt it.