Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.security From: fitz@wang.com (Tom Fitzgerald) Subject: Re: Source Routing Organization: Wang Labs, Billerica MA, USA Date: Wed, 6 Sep 1995 19:17:34 GMT Message-ID: References: <810407791snz@hacknet.demon.co.uk> Sender: news@wang.com Nntp-Posting-Host: fnord.wang.com Lines: 39 Status: RO Postmaster writes: > How does source routing work? > As I understand it you specify it as an option in IP but I do not > understand what the record feature is for. When the packet gets to the final destination, the record can tell you a little more about which interface the packet came into for each router in the path. It's not terribly valuable (since you've already told the packet which routers to go through), but it can give you a little more information about which of several redundant paths was used..... > Also I may be associating this > techinque with IP spoofing, if so where does the spoofing come into it? Source-routing is used to let you see responses during a spoofing attack. (This is normally impossible because responses aren't going to you, they're going to the system you're pretending to be). If you're launching an attack against system V from system H, you can spoof all your traffic to look as though it came from system S, by manufacturing each packet with source=S, destination=V and a source-route that makes it look like it has passed through H on its way. For lots of protocols, V is supposed to use the reverse of the source-route for all its responses, so H can see the responses on the way back. This is a big advantage. > When someone ICMP Bombs you how are they to bomb your host as > I always thought that it was the source that reported wether a > host is unreachable? But an ICMP bomber can make a destination > unreachable.. how? Your assumption isn't exactly right - a router sends an ICMP unreachable when the destination of a packet can't be reached. The router is the source of the ICMP, and it's sent to the original source of the packet that couldn't be delivered. You bomb a host by forging ICMP-unreachables. (Recent standards like RFC 1122 prevent bombs from working as well as they used to.) -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Billerica MA, USA fitz@wang.com Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.security From: vjs@calcite.rhyolite.com (Vernon Schryver) Subject: Re: Source Routing Message-ID: Organization: Rhyolite Software Date: Thu, 7 Sep 1995 01:01:17 GMT References: <810407791snz@hacknet.demon.co.uk> Status: RO In article fitz@wang.com (Tom Fitzgerald) writes: >Postmaster writes: > >> How does source routing work? >> As I understand it you specify it as an option in IP but I do not >> understand what the record feature is for. > >When the packet gets to the final destination, the record can tell you a >little more about which interface the packet came into for each router in >the path. It's not terribly valuable (since you've already told the packet >which routers to go through), but it can give you a little more information >about which of several redundant paths was used..... Not so if you have not used source routing or have only used loose source routing. In those cases, as with `ping -R`, record-route is very useful. `ping -R` can give information otherwise not available about the return path. `traceroute -g` can also tell you about the return path, but only when the IP source route option works. >> Also I may be associating this >> techinque with IP spoofing, if so where does the spoofing come into it? > >Source-routing is used to let you see responses during a spoofing attack. >(This is normally impossible because responses aren't going to you, they're >going to the system you're pretending to be). Only if the system grabs the IP options it receives and uses them on its own transmissions. Some systems do that, but others do not. > If you're launching an >attack against system V from system H, you can spoof all your traffic to >look as though it came from system S, by manufacturing each packet with >source=S, destination=V and a source-route that makes it look like it has >passed through H on its way. For lots of protocols, V is supposed to use >the reverse of the source-route for all its responses, so H can see the >responses on the way back. This is a big advantage. > ... "Lots of protocols" sounds wrong. We have only TCP and UDP to worry about. Perhaps "protocols" referred to application layer protocols. If so, the major applications can be compiled to ignore received IP options, if the operating system does normally turn them around. Also, you could easily modify inetd or equivalent to dump the received IP options. Vernon Schryver vjs@rhyolite.com From: nate@elite.net (Nate Lawson) Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.security Subject: Re: Source Routing Date: 7 Sep 1995 23:52:22 -0700 Organization: Elite Networking (Merced, CA) Lines: 27 Message-ID: <42op76$mv3@almond.elite.net> References: <810407791snz@hacknet.demon.co.uk> <42o7an$c5f@bubbla.uri.edu> NNTP-Posting-Host: nate@elite.net Status: RO Mike Edulla wrote: >Postmaster (postmaster@hacknet.demon.co.uk) wrote: >: How does source routing work? > >: As I understand it you specify it as an option in IP but I do not >: understand what the record feature is for. Also I may be associating this >: techinque with IP spoofing, if so where does the spoofing come into it? > >: Is it when you add your route? > >The record route option is to record the route a packet is taking, it is >used by (i think) the traceroute program, which is probably why traceroute >is suid root. No. It's setuid root so it can change the TTL field in the IP header. This requires opening a raw socket, which requires root. >strict and loose source routing are, as you say, in the options field. If i >remember correctly, you have the routing code, the length, and a pointer to >the start of the routing data. Neither of these require privileges. Just do a setsockopt() on your fd. -- | Nate Lawson Elite Networking Admin Merced, CA Area's first Internet | | nate@elite.net (209) 357-4900 Provider.. finger info@elite.net | ----------------------------------------------------------------------------- From: unrza2@rzmail.uni-erlangen.de (Jochen Kaiser) Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.security Subject: Re: Source Routing Date: 8 Sep 1995 07:55:39 GMT Organization: University of Erlangen, Germany Lines: 37 Message-ID: <42ostr$dbh@cd4680fs.rrze.uni-erlangen.de> References: <810407791snz@hacknet.demon.co.uk> <42o7an$c5f@bubbla.uri.edu> NNTP-Posting-Host: rrzem.rrze.uni-erlangen.de Status: RO In <42o7an$c5f@bubbla.uri.edu> medulla@phoenix.org (Mike Edulla) writes: >: How does source routing work? >The record route option is to record the route a packet is taking, it is >used by (i think) the traceroute program, which is probably why traceroute >is suid root. No ! The Record Route Option is used by most ping implementations when you supply the "-R" Option. Because the record route option offers only place for 9 IP-Adresses in the IP-Header the traceroute cannot make use of it. Traceroute uses ICMP messages with a varying TTL (time to live) - field. The traceroute Program works as follows: When you want the route to a host several hops away, the traceroute sends out an ICMP-Message with a TTL of 1 to that host. The first router on the way gets this message and sees the tiny little TTL. It's an internet standard that TTL of 1 must not be forwarded. Thats why the router throws away the packet and sends back an ICMP - time-exceeded message. The traceroute program gets the ICMP-time-exceeded message and sends out a next ICMP - Messages to the host with a TTL of 2 which passes the first router and is decremented by it by one and passsed to the next hop. This hop sees an TTL of 1 and sends back another ICMP-time-exceeded message .... and so on. The traceroute program collect these messages and gives the user one (!) possibly route to that host. Ciao Jochen -- Jochen Kaiser Jochen.Kaiser@rrze.uni-erlangen.de Betreuung Terminal-Server dialinadm@rrze.uni-erlangen.de Regionales Rechenzentrum Universitaet Erlangen-Nuernberg From: woj@k2.ccs.neu.edu (Matthew Wojcik) Newsgroups: comp.security.unix,comp.protocols.tcp-ip,alt.security Subject: Re: Source Routing Date: 08 Sep 1995 14:05:04 GMT Organization: College of CS, Northeastern University Lines: 60 Message-ID: References: <810407791snz@hacknet.demon.co.uk> <42o7an$c5f@bubbla.uri.edu> <42ostr$dbh@cd4680fs.rrze.uni-erlangen.de> NNTP-Posting-Host: k2.ccs.neu.edu In-reply-to: unrza2@rzmail.uni-erlangen.de's message of 8 Sep 1995 07:55:39 GMT Status: RO >>>>> "Jochen" == Jochen Kaiser writes: Jochen> In <42o7an$c5f@bubbla.uri.edu> medulla@phoenix.org (Mike Edulla) Jochen> writes: >> : How does source routing work? >> The record route option is to record the route a packet is taking, it is >> used by (i think) the traceroute program, which is probably why traceroute >> is suid root. Jochen> No ! The Record Route Option is used by most ping implementations when Jochen> you supply the "-R" Option. Because the record route option offers Jochen> only place for 9 IP-Adresses in the IP-Header the traceroute cannot Jochen> make use of it. Traceroute uses ICMP messages with a varying TTL (time Jochen> to live) - field. The traceroute Program works as follows: When you Jochen> want the route to a host several hops away, the traceroute sends out Jochen> an ICMP-Message with a TTL of 1 to that host. The first router on the Jochen> way gets this message and sees the tiny little TTL. It's an internet Jochen> standard that TTL of 1 must not be forwarded. Thats why the router Jochen> throws away the packet and sends back an ICMP - time-exceeded message. Jochen> The traceroute program gets the ICMP-time-exceeded message and sends Jochen> out a next ICMP - Messages to the host with a TTL of 2 which passes Jochen> the first router and is decremented by it by one and passsed to the Jochen> next hop. This hop sees an TTL of 1 and sends back another Jochen> ICMP-time-exceeded message .... and so on. The traceroute program Jochen> collect these messages and gives the user one (!) possibly route to Jochen> that host. Mostly right. Traceroute actually sends out UDP datagrams to find a route, however, and not ICMP messages. The destination UDP port is set to an unlikely value so the final destination host won't process the packet, but will instead send back an ICMP port unreachable message. When it gets a port unreachable, it knows it has reached the destination host. UDP datagrams are sent out rather than, say, ICMP echo request messages because an ICMP port unreachable message sends back 8 bytes of the data from the IP datagram that caused the ICMP error. In this case, those 8 bytes are the UDP header. Van Jacobson uses a hack: the source UDP port in the messages traceroute sends out is actually used by his code as an identifier, to allow more than one use to run traceroute at the same time. Another hack in the same vein: he increments the destination port with each message to keep track of what hop he's on. (These are obviously on the order of "very clever" rather than "awful" hacks). traceroute makes some of the cleverest use of various ICMP messages I can imagine. Understand what's going on with traceroute, and you'll be a lot closer to knowing what's really happening when you send information across the Internet (or on any tcp/ip network), which is doubtless why Rich Stevens devotes all of chapter 8 of TCP/IP Ill. Vol 1 to it. Jochen> Ciao Jochen Jochen> -- Jochen Kaiser Jochen.Kaiser@rrze.uni-erlangen.de Betreuung Jochen> Terminal-Server dialinadm@rrze.uni-erlangen.de Regionales Jochen> Rechenzentrum Universitaet Erlangen-Nuernberg --The Woj Matthew Wojcik woj@ccs.neu.edu Experimental Systems Group woj@mbunix.mitre.org College of Computer Science, Northeastern University