IP address spoofing using Source Routing

ip addresssource-routing

With IP options we can specify the route we want an IP packet to take while connecting to a server. If we know that a particular server provides some extra functionality based on the IP address can we not utilize this by spoofing an IP packet so that the source IP address is the privileged IP address and one of the hosts on the Source Routing is our own.

So if the privileged IP address is x1 and server IP address is x2 and my own IP address is x3. I send a packet from x1 to x2 which is supposed to pass through x3. x1 does not actually send the packet. It is just that x2 thinks the packet came from x1 via x3. Now in response if x2 uses the same routing policy (as a matter of courtesy to x1) then all packets would be received by x3.

Will the destination typically use the same IP address sequences as specified in the routing header so that packets coming from the server pass through my IP where I can get the required information?

Can we not spoof a TCP connection in the above case?

Is this attack used in practice? Has it been used by anyone?

Best Answer

  • Now there's some good thinking. But fear not, this is already a known attack:

    Its danger is mitigated by the fact that source routed packets are generally blocked at organizations' boundaries, and also the fact that source routing is disabled by default in server OSes such as FreeBSD and OpenBSD (and at least some of the Linux distributions, e.g. Arch Linux). Quoting from that first link:

    The impact of this advisory is greatly diminished due to the large number of organizations which block source routed packets and packets with addresses inside of their networks. Therefore we present the information as more of a 'heads up' message for the technically inclined, and to re-iterate that the randomization of TCP sequence numbers is not an effective solution against this attack.

  • Related Question