Apologies, if these are newbie questions.
IP level options are disallowed in the post BSD 4.3 rlogin/rsh daemons and
in the tcp wrappers package,
The tcp wrapper man page says that
"tcpd disables source-routing socket options on
every connection that it deals with. This will take care of
most attacks from hosts that pretend to have an address that
belongs to someone elses network."
1) How can rlogind or rshd be compromised if the source routing is enabled?
(If some one tries to spoof a host on another network, wouldnt the
intermediate routers reject the spoofed packets.)
2) Is there any situation, other than trouble shooting, where
the source routing option will be of use?
3) Are the rlogind/rshd daemons in SunOS 4.1.x susceptible to source
routing attacks?
4) Is there any patch for fixing the getsockopt() system call bug in
SunOS 4.1.x ?
Thanks
Venu
>Apologies, if these are newbie questions.
>IP level options are disallowed in the post BSD 4.3 rlogin/rsh daemons and
>in the tcp wrappers package,
>The tcp wrapper man page says that
> "tcpd disables source-routing socket options on
> every connection that it deals with. This will take care of
> most attacks from hosts that pretend to have an address that
> belongs to someone elses network."
>1) How can rlogind or rshd be compromised if the source routing is enabled?
> (If some one tries to spoof a host on another network, wouldnt the
> intermediate routers reject the spoofed packets.)
No, because the packets are source-routed. They will only be
rejected if the router is configured to reject source routed
packets or to reject packets coming from anotehr interface than
expected. (I.e., if you have an interface with a subnet associated,
you should reject all packets coming into the router from any
of the other interfaces that have a source address on that one interface.)
>2) Is there any situation, other than trouble shooting, where
> the source routing option will be of use?
Not many, though as work-around for temporary routing failures, it can
be useful. But even that is mostly under the heading of trouble
shooting.
>3) Are the rlogind/rshd daemons in SunOS 4.1.x susceptible to source
> routing attacks?
As far as I could determine, SunOS 4.1.x machines with only one ethernet
interface are not susceptible to a source routing attack.
It think this is because the source routed code requires that a source
routed packet leaves another interface than the one it came in on.
Anyway, I couldn't get any of our SunOS machines react to source routed
packets. I could get our Solaris 2.x machines react to source routed
packets.
I could be wrong about SunOS, though, so switching of source routing through
tcpd is better.
>4) Is there any patch for fixing the getsockopt() system call bug in
> SunOS 4.1.x ?
Yes, patch 100804-03.
Casper
Exactly how to do this is left as an excercise to the reader, but the
fundamental problem is that the source route allows the packet to travel
"through" possibly suspect IP entities that have not had the slightest
amount of authentication as "trustworthy" routers applied to them.
BillW
cisco
>>3) Are the rlogind/rshd daemons in SunOS 4.1.x susceptible to source
>> routing attacks?
>As far as I could determine, SunOS 4.1.x machines with only one ethernet
>interface are not susceptible to a source routing attack.
>It think this is because the source routed code requires that a source
>routed packet leaves another interface than the one it came in on.
I must disagree here. Read the BSD/NET1 or NET2 code again. The number
of interfaces does not matter (as long as it is > 0). Reading kernel
source for breakfast is a nice way to begin the day :-)
Wietse
>A correct and bug-free implementation of IP source routing allows
>any host on the internet to masquerade as any IP address that it would
>like to...
I am a little puzzled about this. How do you arrange for
replies to come back to you?
--
Rahul Dhesi <dh...@rahul.net>
also: dh...@cirrus.com
Even if it didn't, the truly wily hacker may have written their own program
that did.
Surely we must assume that *any* series of bits may be presented to our
network interface?
dh...@rahul.net (Rahul Dhesi) writes:
>I am a little puzzled about this. How do you arrange for
>replies to come back to you?
That is what the source route is for: the client specifies the route
that datagrams (both ways) should take.
Wietse
> >A correct and bug-free implementation of IP source routing allows
> >any host on the internet to masquerade as any IP address that it would
> >like to...
dh...@rahul.net (Rahul Dhesi) writes:
> I am a little puzzled about this. How do you arrange for
> replies to come back to you?
That's required for TCP. From RFC 1122:
4.2.3.8 IP Options
[...]
When a TCP connection is OPENed passively and a packet
arrives with a completed IP Source Route option (containing
a return route), TCP MUST save the return route and use it
for all segments sent on this connection. If a different
source route arrives in a later segment, the later
definition SHOULD override the earlier one.
Source routing will get even more interesting in the future.... many of the
IPng proposals depend heavily on source-routing, to the extent that you
probably won't be able to disable it on routers. If you could, the
protocols wouldn't work.
--
Tom Fitzgerald Wang Labs Lowell MA, USA 1-508-967-5278 fi...@wang.com
>The tcp wrapper man page says that
> "tcpd disables source-routing socket options on
> every connection that it deals with. This will take care of
> most attacks from hosts that pretend to have an address that
> belongs to someone elses network."
>1) How can rlogind or rshd be compromised if the source routing is enabled?
> (If some one tries to spoof a host on another network, wouldnt the
> intermediate routers reject the spoofed packets.)
Well, source routing is used to do just that... disallow routing decisions
from occuring along the path. When source routing is specified, then the
sender specifies the entire route that the packet should take; i.e., the
routers in the middle wouldn't reject...
>2) Is there any situation, other than trouble shooting, where
>the source routing option will be of use?
Not as far as I can think of off hand; about the only thing that I can think
of/remember that source routing is used for is (as you mentioned) when
troubleshooting--it can eliminate the possibility of different packets
taking different routes along their merry way...
>3) Are the rlogind/rshd daemons in SunOS 4.1.x susceptible to source
>routing attacks?
>4) Is there any patch for fixing the getsockopt() system call bug in
> SunOS 4.1.x ?
Sorry; OS specific (especially SUNs) stuff I really am not all that good
with...
Hope this helps....
---
Tommi
The above are my thoughts; if you don't like them, don't read them!
>In article <1994Jun6.0...@martha.utcc.utk.edu> ve...@voodoo.utcc.utk.edu (Nair Venugopal) writes:
>[stuff deleted]
>>2) Is there any situation, other than trouble shooting, where
>>the source routing option will be of use?
>Not as far as I can think of off hand; about the only thing that I can think
>of/remember that source routing is used for is (as you mentioned) when
>troubleshooting--it can eliminate the possibility of different packets
>taking different routes along their merry way...
Bhagwat and Perkins (Mobile and Location-Independent Computing
Symposium), Johnson (CMU TR), and Rekhter and Perkins (Internet draft
"Loose Source Routing for Mobile Hosts") use LSR to allow mobile hosts
to retain the same IP address while moving through the internet.
Cheers,
Bruce
--
Bruce Parker
4314 Infotech (201) 596-3369
Computer and Information Science Department par...@vienna.njit.edu
New Jersey Institute of Technology, Newark, New Jersey 07102 USA
I have been told that the mbone software uses source routing.
If so, is there any way to filter source routes without breaking the mbone?
--
Steve Kotsopoulos P.Eng. st...@ecf.toronto.edu
Systems Analyst, Engineering Computing Facility, University of Toronto