IP Source Routing Enabled and How to Disable

• http://www.rapid7.com/db/vulnerabilities/generic-ip-source-routing-enabled

• Description

  
  
  The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.
• 
  
• http://www.microsoft.com/technet/security/bulletin/http://technet.microsoft.com/security/bulletin/MS99-038.mspx
• MSKB: http://support.microsoft.com/default.aspx?scid=kb;EN-US;238453
• URL: http://packetstormsecurity.nl/advisories/nai/nai.99-09-20.windows_ip_source_routing

Solution

• IBM AIX
  Disable IP source routing on IBM AIX
  Issue the following command to disable forwarding of source routed packets:

     /usr/sbin/no -o nonlocsrcroute=0

  Also, issue the following command to disable the sending of source routed packets:

     /usr/sbin/no -o ipsrcroutesend=0

  In order to make this setting permanent, you can add this command to /etc/rc.net.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• FreeBSD
  Disable IP source routing on FreeBSD
  IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:

     sysctl net.inet.ip.sourceroute

  If the option is not set to 0, you can set it to zero by issuing the following command:

     sysctl -w net.inet.ip.sourceroute=0

  These settings can be added to /etc/sysctl.conf to make them permanent.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Cisco IOS
  Disable IP source routing on Cisco IOS
  Use the 'no ip source-route' command to disable source-routing on the affected interface(s).
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• SGI Irix
  Disable IP source routing on SGI Irix
  Issue the following command to disable forwarding of source routed packets:

     /usr/sbin/systune ipforward to 2

  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Linux
  Disable IP source routing on Linux
  Source routing is disabled by default. On Linux kernel 2.2 and earlier, this setting was controlled by the contents of the following proc file:

     /proc/sys/net/ipv4/conf/all/accept_source_route

  However, in more recent versions of Linux, the source route setting is controlled by several sysctl variables. Issue the following command to drop all source routed packets:

     /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

  Also, issue the following commands to disable forwarding of any frames with source routing options:

     /sbin/sysctl -w net.ipv4.conf.all.forwarding=0

     /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0

  These settings can be added to /etc/sysctl.conf to make them permanent.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition
  Disable IP source routing on Windows NT 4
  First upgrade to the latest NT4 Service Pack (SP6 for NT4 Terminal Server, SP6a for all other versions of NT4). Versions of NT4 prior to SP6 can still be "tricked" into honoring source routing even if you have disabled it via the registry. See Q238453 for more information.
  After upgrading to NT Service Pack 6a, run the registry editor (regedit.exe) and browse to the following key:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• OpenBSD
  Disable IP source routing on OpenBSD
  IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:

  sysctl net.inet.ip.sourceroute

  If the option is not set to 0, you can set it to zero by issuing the following command:

  sysctl -w net.inet.ip.sourceroute=0

  These settings can be added to /etc/sysctl.conf to make them permanent.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Cisco PIX
  Disable IP source routing on Cisco PIX
  PIX firewalls are designed to drop IP packets with insecure options, including source routing. See the following Cisco support document for more information.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Sun Solaris
  Disable IP source routing on Solaris
  While you cannot completely disable Solaris's handling of source-routed packets directed at the Solaris host itself, you can prevent Solaris from forwarding source routed packets on to the next hop by issuing the following command:

     /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0

  In order to make this setting permanent, you will need to set this option automatically when the machine is booted.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition, Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition, Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008 Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows Essential Business Server 2008
  Disable IP source routing on Windows Vista/2008
  Run the registry editor (regedit.exe) and browse to the following key:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003
  Disable IP source routing on Windows 2000/XP/2003
  Run the registry editor (regedit.exe) and browse to the following key:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
• Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows ME
  Disable IP source routing on
  Microsoft has provided a fix for this issue, but requires users to contact Microsoft directly to obtain the fix. Please see MSKB article Q238453 for more information.
  You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

Related Vulnerabilities