In message <20020805225221.82473.qmail@sidehack.sat.gweep.net>, bdragon@gweep.n et writes:
"You know, there's quite a difference between source routing and IP spoofing .."
As true as this statement is, the two walk hand in hand (especially during certain attacks).
If I send an attack from a spoofed address to a victim, I can turn blue in the face waiting for a response that will never come. If I spoof an address and use loose source routing I can force the response to return right through my network.
I was not aware that responses to source-routed packets were themselves source-routed. I also don't believe it is the case, but am open to being contradicted. If the responses aren't source-routed, then the packets would only return through your network if your network was the path back to the spoofed source.
See section 3.2.1.8c of RFC 1122: If host receives a datagram containing a completed source route (i.e., the pointer points beyond the last field), the datagram has reached its final destination; the option as received (the recorded route) MUST be passed up to the transport layer (or to ICMP message processing). This recorded route will be reversed and used to form a return source route for reply datagrams (see discussion of IP Options in Section 4). When a return source route is built, it MUST be correctly formed even if the recorded route included the source host (see case (B) in the discussion below). --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
See section 3.2.1.8c of RFC 1122:
<snip>
processing). This recorded route will be reversed and used to form a return source route for reply datagrams (see discussion of IP Options in Section 4). When a
<snip>
--Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
Tickle me contradicted, my apologies for doubting whomever it was (it is late, and I'm too tired and lazy to check)
Tickle me contradicted, my apologies for doubting whomever it was (it is late, and I'm too tired and lazy to check) dragon - No apologies needed...... Gerardo Gregory ----- Original Message ----- From: <bdragon@gweep.net> To: "Steven M. Bellovin" <smb@research.att.com> Cc: <nanog@merit.edu> Sent: Thursday, August 08, 2002 10:51 PM Subject: Re: If you have nothing to hide
See section 3.2.1.8c of RFC 1122:
<snip>
processing). This recorded route will be reversed and used to form a return source route for reply datagrams (see discussion of IP Options in Section 4). When a
<snip>
--Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
Tickle me contradicted, my apologies for doubting whomever it was (it is late, and I'm too tired and lazy to check)
(warning, not for the humor impaired) In the interest of spewing even more non-op traffic on this list, see "59% of dweebs suffer from 'False Authority Syndrome" at http://vmyths.com/rant.cfm?id=501&page=4 and make sure you listen to the mp3 version, it's so much better than the written words. (it's hilarious actually) It's particularly apt for these so-called-experts spreading all the FUD trying to turn a national tragedy into either shameless self promotion (Hello everyone who attended Defcon), or who want to use that as an agenda to "take over the internet".. (yeah, right turn an M$ computer security expert into a White House security expert, hahahah) Len
participants (4)
-
bdragon@gweep.net -
gg -
Len Rose -
Steven M. Bellovin