Detecting Source Routing Attempts

Source routing is a technique supported by the IPv4 protocol by which an adversary can attempt to route packets through networks that would otherwise be inaccessible. Source routing options are included within the options portion of the IP header, and Snort rule ID 500 detects loose source routing attempts with the ipopts IP header test (shown in bold):

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,4l8; reference:bugtraq,646; reference:cve, 1999-0909; classtype:bad-unknown; sid:500; psad_id:l00l99; psad_dl:2;);

Because it is only possible to issue loose source routing directives when using IP options, psad can only detect this type of traffic if the LOG rule is built within the --log-ip-options command-line argument to iptables. When iptables logs an IP packet that contains IP options, the log message includes the options as an argument to the OPT string like OPT (830708C0A80A0300). According to RFC 791, the loose source routing option is defined as option number 131 (hex 83) and has a variable length. The following iptables log message contains an OPT string generated by an IP packet that contains the loose source routing option (shown in bold):

Jul 13 19:39:53 iptablesfw kernel: IN=eth1 OUT= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10096 OPT (830708C0A80A0300) PROTO=TCP SPT=3017 DPT=0 WINDOW=512 RES=0x00 URGP=0

psad notices the source routing attempt:

Jul 13 19:39:56 iptablesfw psad: src: signature match: "MISC source route lssr" (sid: 500) ip

Was this article helpful?

0 0

Post a comment