What is source routed traffic and why is it a threat?
Normally, the route a packet takes from its source to its destination is determined by the routers between the source and destination. The packet itself only says where it wants to go (the destination address), and nothing about how it expects to get there. There is an optional way for the sender of a packet (the source) to include information in the packet that tells the route the packet should take to get to its destination; thus the name “source routing”. For a firewall, source routing is noteworthy, since an attacker can generate traffic claiming to be from a system “inside” the firewall. In general, such traffic wouldn’t route to the firewall properly, but with the source routing option, all the routers between the attacker’s machine and the target will return traffic along the reverse path of the source route. Implementing such an attack is quite easy; so firewall builders should not discount it as unlikely to happen. In practice, source routing is very little used. In fact,
Normally, the route a packet takes from its source to its destination is determined by the routers between the source and destination. The packet itself only says where it wants to go (the destination address), and nothing about how it expects to get there. There is an optional way for the sender of a packet (the source) to include information in the packet that tells the route the packet should take to get to its destination; thus the name source routing. For a firewall, source routing is noteworthy, since an attacker can generate traffic claiming to be from a system inside the firewall. In general, such traffic wouldnt route to the firewall properly, but with the source routing option, all the routers between the attackers machine and the target will return traffic along the reverse path of the source route. Implementing such an attack is quite easy; so firewall builders should not discount it as unlikely to happen. In practice, source routing is very little used. In fact, generally
