Re: If you have nothing to hide

["Steven M. Bellovin" <smb () research att com>]

In message <20020805225221.82473.qmail () sidehack sat gweep net>, bdragon@gweep.n
et writes:
> > "You know, there's quite a difference between source routing and
> > IP spoofing .."
> >
> >
> >
> > As true as this statement is, the two walk hand in hand (especially during
> > certain attacks).
> >
> > If I send an attack from a spoofed address to a victim, I can turn blue in
> > the face waiting for a response that will never come.
> > If I spoof an address and use loose source routing I can force the response
> > to return right through my network.
>
> I was not aware that responses to source-routed packets were themselves
> source-routed. I also don't believe it is the case, but am open to being
> contradicted. If the responses aren't source-routed, then the packets would
> only return through your network if your network was the path back to the
> spoofed source.

See section 3.2.1.8c of RFC 1122:

                 If host receives a datagram containing a completed 
                 source route (i.e., the pointer points beyond the last
                 field), the datagram has reached its final destination;
                 the option as received (the recorded route) MUST be
                 passed up to the transport layer (or to ICMP message 
                 processing).  This recorded route will be reversed and
                 used to form a return source route for reply datagrams
                 (see discussion of IP Options in Section 4).  When a
                 return source route is built, it MUST be correctly
                 formed even if the recorded route included the source
                 host (see case (B) in the discussion below).


                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com ("Firewalls" book)