[CCCure CISSP] Source Routing

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Source Routing

Manish Upasani

Guys,
All of us must have heard of something called source routing, where the source of the packet traversing through the network can be configured.
There are two types to it, loose and strict source routing.
I have a doubt here, how can we configure the same may be to do some kind of testing that the things work/gets blocked on the perimeter devices or to achieve something with it.
I tried google but didn't got how to configure it...everyone talks about how to block it and configure the devices to block it.
Any help here will be helpful.

Regards
Manish Upasani


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Source Routing

clementdupuis
Administrator
Good day Manish,

This is an older type of attack.    Any router worth calling router will drop Source Route packet for sure.  It is very unlikely that it would even work at all today.

A CISCO router by default will not accept source route packets anymore and most of the leading brand would do the same.  

You can see a nice explanation at:



Best regards

Clement


Clement Dupuis, CD

Chief Learning Officer (CLO) and Security Evangelist
GCFW, GCIA, Security+ 301, CEH V7, CCSA, CCSE,  + 12 others

SecureNinja
Office : +703 535 8600
Mobile: +1 407 433 6444

Email: [hidden email]

Web: www.secureninja.com

Connect with me on LinkedIn | Follow me on Twitter


Description: Secure Ninja @ LinkedinDescription: See Us @ YoutubeDescription: Like us on FacebookDescription: Fallow us Twitter

901 N. Pitt Street, Suite 105
Alexandria, VA  22314

Description: Description: sn_logo

In Cyberspace:

[hidden email]
Clement Dupuis, CD
President/Founder/Chief Security Evangelist
The CCCure Family of Portals
----------------------------------------------------------------------------------------------
Maintainer of :

The CCCure Quiz Engine
https://www.freepracticetests.org/quiz/index.php?page=home

The CCCure Family of Portals
http://www.cccure.org

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org/

Knowledge sharing and giving back to the community

-------------------------------------------------------------------------------------------------------
>>  Call me to get the best CISSP, Security+, or other Security related training  <<
-------------------------------------------------------------------------------------------------------


On Thu, Apr 4, 2013 at 1:42 PM, Manish Upasani <[hidden email]> wrote:

Guys,
All of us must have heard of something called source routing, where the source of the packet traversing through the network can be configured.
There are two types to it, loose and strict source routing.
I have a doubt here, how can we configure the same may be to do some kind of testing that the things work/gets blocked on the perimeter devices or to achieve something with it.
I tried google but didn't got how to configure it...everyone talks about how to block it and configure the devices to block it.
Any help here will be helpful.

Regards
Manish Upasani


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org



_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Clement Dupuis, CD
CCCure Founder and Owner
CLO @ SecureNinja.Com
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] Source Routing

Nam Nguyễn Thành
In reply to this post by Manish Upasani
Hi Manish,


As you knew, we see lots of attack types on network, one of them is the forging or spoofing of IP source address. In Cisco device, Cisco router, they develope a technology to deal with this type of attack, that is Unicast Reverse Path Forwading (URPF). This technology help us to validate source of packets, the information is compared with info contained within Cisco Express Forwarding FIB, this is a table in manner of cache to help Cisco router to improve speed of packet being forwarding.
There are two kinds of mode for this technology:
1. Strict: in this mode, source address is verified with info in FIB table AND the source address was received on the best return route interface.
2. Loose: just only source address is verified, not interface.
This type of technology takes lots of performace of router comparing with using ACLs to protect your network against spoofing attack.
For configuration, you can make some commands on your primeter devices - router, as the following:
1. Enable CEF:
#ip cef distributed
2. Enable URFP:
#ip verify unicast source reachable-via [rx | any] ACL
with rx = strict mode or any = loose mode, and come with an ACL

Hope these info above help you!

NamNT


On Fri, Apr 5, 2013 at 12:42 AM, Manish Upasani <[hidden email]> wrote:

Guys,
All of us must have heard of something called source routing, where the source of the packet traversing through the network can be configured.
There are two types to it, loose and strict source routing.
I have a doubt here, how can we configure the same may be to do some kind of testing that the things work/gets blocked on the perimeter devices or to achieve something with it.
I tried google but didn't got how to configure it...everyone talks about how to block it and configure the devices to block it.
Any help here will be helpful.

Regards
Manish Upasani


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org




--
Regards,
NamNT


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org