[50700] in North American Network Operators' Group
Re: If you have nothing to hide
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Aug 7 17:08:56 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: bdragon@gweep.net
Cc: ggregory@affinitas.net (Gerardo A. Gregory), nanog@merit.edu
Date: Wed, 07 Aug 2002 14:28:58 -0400
Errors-To: owner-nanog-outgoing@merit.edu
In message <20020805225221.82473.qmail@sidehack.sat.gweep.net>, bdragon@gweep.n
et writes:
>
>>
>>
>> "You know, there's quite a difference between source routing and
>> IP spoofing .."
>>
>>
>>
>> As true as this statement is, the two walk hand in hand (especially during
>> certain attacks).
>>
>> If I send an attack from a spoofed address to a victim, I can turn blue in
>> the face waiting for a response that will never come.
>> If I spoof an address and use loose source routing I can force the response
>> to return right through my network.
>
>I was not aware that responses to source-routed packets were themselves
>source-routed. I also don't believe it is the case, but am open to being
>contradicted. If the responses aren't source-routed, then the packets would
>only return through your network if your network was the path back to the
>spoofed source.
See section 3.2.1.8c of RFC 1122:
If host receives a datagram containing a completed
source route (i.e., the pointer points beyond the last
field), the datagram has reached its final destination;
the option as received (the recorded route) MUST be
passed up to the transport layer (or to ICMP message
processing). This recorded route will be reversed and
used to form a return source route for reply datagrams
(see discussion of IP Options in Section 4). When a
return source route is built, it MUST be correctly
formed even if the recorded route included the source
host (see case (B) in the discussion below).
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
