Back to search

IP Source Routing Enabled

Severity CVSS Published Added Modified
8 (AV:N/AC:L/Au:N/C:P/I:P/A:P) September 20, 1999 November 01, 2004 July 12, 2012

Description

The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

  • IBM AIX

    Disable IP source routing on IBM AIX

    Issue the following command to disable forwarding of source routed packets:

       /usr/sbin/no -o nonlocsrcroute=0

    Also, issue the following command to disable the sending of source routed packets:

       /usr/sbin/no -o ipsrcroutesend=0

    In order to make this setting permanent, you can add this command to /etc/rc.net.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • FreeBSD

    Disable IP source routing on FreeBSD

    IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:

       sysctl net.inet.ip.sourceroute

    If the option is not set to 0, you can set it to zero by issuing the following command:

       sysctl -w net.inet.ip.sourceroute=0

    These settings can be added to /etc/sysctl.conf to make them permanent.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • Cisco IOS

    Disable IP source routing on Cisco IOS

    Use the 'no ip source-route' command to disable source-routing on the affected interface(s).

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • SGI Irix

    Disable IP source routing on SGI Irix

    Issue the following command to disable forwarding of source routed packets:

       /usr/sbin/systune ipforward to 2

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • Linux

    Disable IP source routing on Linux

    Source routing is disabled by default. On Linux kernel 2.2 and earlier, this setting was controlled by the contents of the following proc file:

       /proc/sys/net/ipv4/conf/all/accept_source_route

    However, in more recent versions of Linux, the source route setting is controlled by several sysctl variables. Issue the following command to drop all source routed packets:

       /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

    Also, issue the following commands to disable forwarding of any frames with source routing options:

       /sbin/sysctl -w net.ipv4.conf.all.forwarding=0
       /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0

    These settings can be added to /etc/sysctl.conf to make them permanent.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition

    Disable IP source routing on Windows NT 4

    First upgrade to the latest NT4 Service Pack (SP6 for NT4 Terminal Server, SP6a for all other versions of NT4). Versions of NT4 prior to SP6 can still be "tricked" into honoring source routing even if you have disabled it via the registry. See Q238453 for more information.

    After upgrading to NT Service Pack 6a, run the registry editor (regedit.exe) and browse to the following key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

    Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • OpenBSD

    Disable IP source routing on OpenBSD

    IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:

    sysctl net.inet.ip.sourceroute

    If the option is not set to 0, you can set it to zero by issuing the following command:

    sysctl -w net.inet.ip.sourceroute=0

    These settings can be added to /etc/sysctl.conf to make them permanent.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • Cisco PIX

    Disable IP source routing on Cisco PIX

    PIX firewalls are designed to drop IP packets with insecure options, including source routing. See the following Cisco support document for more information.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • Sun Solaris

    Disable IP source routing on Solaris

    While you cannot completely disable Solaris's handling of source-routed packets directed at the Solaris host itself, you can prevent Solaris from forwarding source routed packets on to the next hop by issuing the following command:

       /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0

    In order to make this setting permanent, you will need to set this option automatically when the machine is booted.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition, Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition, Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008 Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows Essential Business Server 2008, Microsoft Windows Server 2012, Microsoft Windows Server 2012 Essentials Edition, Microsoft Windows Server 2012 Standard Edition, Microsoft Windows Server 2012 Datacenter Edition, Microsoft Windows Server 2012 Foundation Edition, Microsoft Windows Storage Server 2012, Microsoft Windows 7, Microsoft Windows 7 Home, Basic Edition, Microsoft Windows 7 Home, Basic N Edition, Microsoft Windows 7 Home, Premium Edition, Microsoft Windows 7 Home, Premium N Edition, Microsoft Windows 7 Ultimate Edition, Microsoft Windows 7 Ultimate N Edition, Microsoft Windows 7 Enterprise Edition, Microsoft Windows 7 Enterprise N Edition, Microsoft Windows 7 Professional Edition, Microsoft Windows 7 Starter Edition, Microsoft Windows 7 Starter N Edition, Microsoft Windows Embedded Standard 7, Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008 R2, Enterprise Edition, Microsoft Windows Server 2008 R2, Standard Edition, Microsoft Windows Server 2008 R2, Datacenter Edition, Microsoft Windows Server 2008 R2, Web Edition, Microsoft Windows 8, Microsoft Windows 8 Enterprise Edition, Microsoft Windows 8 Professional Edition, Microsoft Windows RT

    Disable IP source routing on Windows Vista and newer

    Run the registry editor (regedit.exe) and browse to the following keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

    For Tcpip, the DWORD value named "DisableIPSourceRouting" must either not exist or have a value of 1 or 2. For Tcpip6, the DWORD value named "DisableIPSourceRouting" must exist and have a value of 1 or 2. For the highest security level, both should exist and be set to 2. Windows must be rebooted for the change to take effect.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

    See http://technet.microsoft.com/library/dd349797%28v=ws.10%29.aspx for more information.

  • Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003

    Disable IP source routing on Windows 2000/XP/2003

    Run the registry editor (regedit.exe) and browse to the following key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

    Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

  • Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows ME

    Disable IP source routing on Windows 95/98/ME

    Microsoft has provided a fix for this issue, but requires users to contact Microsoft directly to obtain the fix. Please see MSKB article Q238453 for more information.

    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

Related Vulnerabilities