Thursday, September 5, 2013

IP Source Routing Enabled and How to Disable

Solution

  • IBM AIX
    Disable IP source routing on IBM AIX
    Issue the following command to disable forwarding of source routed packets:
       /usr/sbin/no -o nonlocsrcroute=0
    Also, issue the following command to disable the sending of source routed packets:
       /usr/sbin/no -o ipsrcroutesend=0
    In order to make this setting permanent, you can add this command to /etc/rc.net.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • FreeBSD
    Disable IP source routing on FreeBSD
    IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:
       sysctl net.inet.ip.sourceroute
    If the option is not set to 0, you can set it to zero by issuing the following command:
       sysctl -w net.inet.ip.sourceroute=0
    These settings can be added to /etc/sysctl.conf to make them permanent.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Cisco IOS
    Disable IP source routing on Cisco IOS
    Use the 'no ip source-route' command to disable source-routing on the affected interface(s).
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • SGI Irix
    Disable IP source routing on SGI Irix
    Issue the following command to disable forwarding of source routed packets:
       /usr/sbin/systune ipforward to 2
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Linux
    Disable IP source routing on Linux
    Source routing is disabled by default. On Linux kernel 2.2 and earlier, this setting was controlled by the contents of the following proc file:
       /proc/sys/net/ipv4/conf/all/accept_source_route
    However, in more recent versions of Linux, the source route setting is controlled by several sysctl variables. Issue the following command to drop all source routed packets:
       /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
    Also, issue the following commands to disable forwarding of any frames with source routing options:
       /sbin/sysctl -w net.ipv4.conf.all.forwarding=0
       /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
    These settings can be added to /etc/sysctl.conf to make them permanent.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition
    Disable IP source routing on Windows NT 4
    First upgrade to the latest NT4 Service Pack (SP6 for NT4 Terminal Server, SP6a for all other versions of NT4). Versions of NT4 prior to SP6 can still be "tricked" into honoring source routing even if you have disabled it via the registry. See Q238453 for more information.
    After upgrading to NT Service Pack 6a, run the registry editor (regedit.exe) and browse to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • OpenBSD
    Disable IP source routing on OpenBSD
    IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:
    sysctl net.inet.ip.sourceroute
    If the option is not set to 0, you can set it to zero by issuing the following command:
    sysctl -w net.inet.ip.sourceroute=0
    These settings can be added to /etc/sysctl.conf to make them permanent.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Cisco PIX
    Disable IP source routing on Cisco PIX
    PIX firewalls are designed to drop IP packets with insecure options, including source routing. See the following Cisco support document for more information.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Sun Solaris
    Disable IP source routing on Solaris
    While you cannot completely disable Solaris's handling of source-routed packets directed at the Solaris host itself, you can prevent Solaris from forwarding source routed packets on to the next hop by issuing the following command:
       /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
    In order to make this setting permanent, you will need to set this option automatically when the machine is booted.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition, Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition, Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008 Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows Essential Business Server 2008
    Disable IP source routing on Windows Vista/2008
    Run the registry editor (regedit.exe) and browse to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003
    Disable IP source routing on Windows 2000/XP/2003
    Run the registry editor (regedit.exe) and browse to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
  • Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows ME
    Disable IP source routing on
    Microsoft has provided a fix for this issue, but requires users to contact Microsoft directly to obtain the fix. Please see MSKB article Q238453 for more information.
    You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).

Related Vulnerabilities

No comments: