8/14/2019 src route

1/5

Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.securityFrom: fitz@wang.com (Tom Fitzgerald)Subject: Re: Source RoutingOrganization: Wang Labs, Billerica MA, USADate: Wed, 6 Sep 1995 19:17:34 GMTMessage-ID: References: Sender: news@wang.com

Nntp-Posting-Host: fnord.wang.comLines: 39Status: RO

Postmaster writes:

> How does source routing work?> As I understand it you specify it as an option in IP but I do not> understand what the record feature is for.

When the packet gets to the final destination, the record can tell you alittle more about which interface the packet came into for each router inthe path. It's not terribly valuable (since you've already told the packet

which routers to go through), but it can give you a little more informationabout which of several redundant paths was used.....

> Also I may be associating this> techinque with IP spoofing, if so where does the spoofing come into it?

Source-routing is used to let you see responses during a spoofing attack.(This is normally impossible because responses aren't going to you, they'regoing to the system you're pretending to be). If you're launching anattack against system V from system H, you can spoof all your traffic tolook as though it came from system S, by manufacturing each packet withsource=S, destination=V and a source-route that makes it look like it haspassed through H on its way. For lots of protocols, V is supposed to use

the reverse of the source-route for all its responses, so H can see theresponses on the way back. This is a big advantage.

> When someone ICMP Bombs you how are they to bomb your host as> I always thought that it was the source that reported wether a> host is unreachable? But an ICMP bomber can make a destination> unreachable.. how?

Your assumption isn't exactly right - a router sends an ICMP unreachablewhen the destination of a packet can't be reached. The router is thesource of the ICMP, and it's sent to the original source of the packet thatcouldn't be delivered. You bomb a host by forging ICMP-unreachables.(Recent standards like RFC 1122 prevent bombs from working as well as they

used to.)

--Tom Fitzgerald 1-508-967-5278 Wang Labs, Billerica MA, USA fitz@wang.com

Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.securityFrom: vjs@calcite.rhyolite.com (Vernon Schryver)Subject: Re: Source RoutingMessage-ID: Organization: Rhyolite SoftwareDate: Thu, 7 Sep 1995 01:01:17 GMT

8/14/2019 src route

2/5

References: Status: RO

In article fitz@wang.com (Tom Fitzgerald) writes:>Postmaster writes:>>> How does source routing work?>> As I understand it you specify it as an option in IP but I do not

>> understand what the record feature is for.>>When the packet gets to the final destination, the record can tell you a>little more about which interface the packet came into for each router in>the path. It's not terribly valuable (since you've already told the packet>which routers to go through), but it can give you a little more information>about which of several redundant paths was used.....

Not so if you have not used source routing or have only used loosesource routing. In those cases, as with `ping -R`, record-route isvery useful. `ping -R` can give information otherwise not availableabout the return path. `traceroute -g` can also tell you about thereturn path, but only when the IP source route option works.

>> Also I may be associating this>> techinque with IP spoofing, if so where does the spoofing come into it?>>Source-routing is used to let you see responses during a spoofing attack.>(This is normally impossible because responses aren't going to you, they're>going to the system you're pretending to be).

Only if the system grabs the IP options it receives and uses themon its own transmissions. Some systems do that, but others do not.

> If you're launching an

>attack against system V from system H, you can spoof all your traffic to>look as though it came from system S, by manufacturing each packet with>source=S, destination=V and a source-route that makes it look like it has>passed through H on its way. For lots of protocols, V is supposed to use>the reverse of the source-route for all its responses, so H can see the>responses on the way back. This is a big advantage.> ...

"Lots of protocols" sounds wrong. We have only TCP and UDP to worry about.Perhaps "protocols" referred to application layer protocols. If so,the major applications can be compiled to ignore received IP options,if the operating system does normally turn them around.Also, you could easily modify inetd or equivalent to dump the received

IP options.

Vernon Schryver vjs@rhyolite.com

From: nate@elite.net (Nate Lawson)Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.securitySubject: Re: Source RoutingDate: 7 Sep 1995 23:52:22 -0700Organization: Elite Networking (Merced, CA)Lines: 27

8/14/2019 src route

3/5

Message-ID: References: NNTP-Posting-Host: nate@elite.netStatus: RO

Mike Edulla wrote:>Postmaster (postmaster@hacknet.demon.co.uk) wrote:>: How does source routing work?

>>: As I understand it you specify it as an option in IP but I do not>: understand what the record feature is for. Also I may be associating this>: techinque with IP spoofing, if so where does the spoofing come into it?>>: Is it when you add your route?>>The record route option is to record the route a packet is taking, it is>used by (i think) the traceroute program, which is probably why traceroute>is suid root.

No. It's setuid root so it can change the TTL field in the IP header. Thisrequires opening a raw socket, which requires root.

>strict and loose source routing are, as you say, in the options field. If i>remember correctly, you have the routing code, the length, and a pointer to>the start of the routing data.

Neither of these require privileges. Just do a setsockopt() on your fd.

--| Nate Lawson Elite Networking Admin Merced, CA Area's first Internet || nate@elite.net (209) 357-4900 Provider.. finger info@elite.net |-----------------------------------------------------------------------------

From: unrza2@rzmail.uni-erlangen.de (Jochen Kaiser)

Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.securitySubject: Re: Source RoutingDate: 8 Sep 1995 07:55:39 GMTOrganization: University of Erlangen, GermanyLines: 37Message-ID: References: NNTP-Posting-Host: rrzem.rrze.uni-erlangen.deStatus: RO

In medulla@phoenix.org (Mike Edulla) writes:

>: How does source routing work?

>The record route option is to record the route a packet is taking, it is>used by (i think) the traceroute program, which is probably why traceroute>is suid root.

No ! The Record Route Option is used by most ping implementationswhen you supply the "-R" Option. Because the record route optionoffers only place for 9 IP-Adresses in the IP-Header the traceroutecannot make use of it. Traceroute uses ICMP messages with avarying TTL (time to live) - field.The traceroute Program works as follows:

8/14/2019 src route

4/5

When you want the route to a host several hops away,the traceroute sends out an ICMP-Message with a TTL of 1 to thathost. The first router on the way gets this message and sees thetiny little TTL. It's an internet standard that TTL of 1 mustnot be forwarded. Thats why the router throws away the packetand sends back an ICMP - time-exceeded message.The traceroute program gets the ICMP-time-exceeded message andsends out a next ICMP - Messages to the host with a TTL of 2

which passes the first router and is decremented by it by one andpasssed to the next hop. This hop sees an TTL of 1 and sends backanother ICMP-time-exceeded message .... and so on.The traceroute program collect these messages and gives the userone (!) possibly route to that host.

CiaoJochen

--Jochen Kaiser Jochen.Kaiser@rrze.uni-erlangen.deBetreuung Terminal-Server dialinadm@rrze.uni-erlangen.deRegionales Rechenzentrum Universitaet Erlangen-Nuernberg

From: woj@k2.ccs.neu.edu (Matthew Wojcik)Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.securitySubject: Re: Source RoutingDate: 08 Sep 1995 14:05:04 GMTOrganization: College of CS, Northeastern UniversityLines: 60Message-ID: References:

NNTP-Posting-Host: k2.ccs.neu.edu

In-reply-to: unrza2@rzmail.uni-erlangen.de's message of 8 Sep 1995 07:55:39 GMTStatus: RO

>>>>> "Jochen" == Jochen Kaiser writes:

Jochen> In medulla@phoenix.org (Mike Edulla)Jochen> writes:>> : How does source routing work?

>> The record route option is to record the route a packet is taking, it is>> used by (i think) the traceroute program, which is probably why traceroute>> is suid root.

Jochen> No ! The Record Route Option is used by most ping implementations whenJochen> you supply the "-R" Option. Because the record route option offersJochen> only place for 9 IP-Adresses in the IP-Header the traceroute cannotJochen> make use of it. Traceroute uses ICMP messages with a varying TTL (timeJochen> to live) - field. The traceroute Program works as follows: When youJochen> want the route to a host several hops away, the traceroute sends outJochen> an ICMP-Message with a TTL of 1 to that host. The first router on theJochen> way gets this message and sees the tiny little TTL. It's an internetJochen> standard that TTL of 1 must not be forwarded. Thats why the routerJochen> throws away the packet and sends back an ICMP - time-exceeded message.Jochen> The traceroute program gets the ICMP-time-exceeded message and sends

8/14/2019 src route

5/5

Jochen> out a next ICMP - Messages to the host with a TTL of 2 which passesJochen> the first router and is decremented by it by one and passsed to theJochen> next hop. This hop sees an TTL of 1 and sends back anotherJochen> ICMP-time-exceeded message .... and so on. The traceroute programJochen> collect these messages and gives the user one (!) possibly route toJochen> that host.

Mostly right. Traceroute actually sends out UDP datagrams to find a route,

however, and not ICMP messages. The destination UDP port is set to anunlikely value so the final destination host won't process the packet, butwill instead send back an ICMP port unreachable message. When it gets a portunreachable, it knows it has reached the destination host.

UDP datagrams are sent out rather than, say, ICMP echo request messagesbecause an ICMP port unreachable message sends back 8 bytes of the data fromthe IP datagram that caused the ICMP error. In this case, those 8 bytes arethe UDP header. Van Jacobson uses a hack: the source UDP port in the messagestraceroute sends out is actually used by his code as an identifier, to allowmore than one use to run traceroute at the same time. Another hack in thesame vein: he increments the destination port with each message to keep trackof what hop he's on. (These are obviously on the order of "very clever"

rather than "awful" hacks).

traceroute makes some of the cleverest use of various ICMP messages I canimagine. Understand what's going on with traceroute, and you'll be a lotcloser to knowing what's really happening when you send information across theInternet (or on any tcp/ip network), which is doubtless why Rich Stevensdevotes all of chapter 8 of TCP/IP Ill. Vol 1 to it.

Jochen> Ciao Jochen

Jochen> -- Jochen Kaiser Jochen.Kaiser@rrze.uni-erlangen.de BetreuungJochen> Terminal-Server dialinadm@rrze.uni-erlangen.de RegionalesJochen> Rechenzentrum Universitaet Erlangen-Nuernberg

--The Woj Matthew Wojcik woj@ccs.neu.eduExperimental Systems Group woj@mbunix.mitre.org

College of Computer Science, Northeastern University

#