Disable IP Source Routing

IP source routing is rarely used. On occasion, it's used for troubleshooting. However, a hacker mighi attempt to communicate with one of your hosts by inserting himself or herself as an intermediary stop between two legitimate host addresses. Figure 6-11 illustrates the scheme.

Figure 6-11 A Hacker Attacking with IP Source-Routing

Figure 6-11 A Hacker Attacking with IP Source-Routing

The hacker. II, pretends to be an intermediary hop in a source-routed path from Host B to Host A. H creates a request and a fictitious source-route path with B as the source and H as the middle hop. H sends this to A. Host A looks at the source address of the packet, sees that it's Host B, decides that B is friendly because it's on Lhe same subnet, and sends a reply back to B along the source-routed path with H as the next hop. H is now communicating with A.

The hacker could do this if both the router and Host A have IP source-routing enabled. To comply with the standards, Cisco routers and just about all TCP/IP hosts have IP source-routing on by default. To disable IP source-routing on a router, issue the no ip source-route global configuration command:

RTA#conf t

Enter configuration commands, one per line. End with CNTL/Z.

RTA(config)#no ip source route

TIP See RFC 1122 for the details of IP source routing.

+2 -1

Post a comment