What is It?
In computer networking, source routing, a.k.a. path addressing, is a technique whereby the sender of a packet can specify partially or completely the route the packet travels through the network. This is in contrast to the traditional network routing where destination IP of each packet on the network is examined by routers to determine the next hop to forward (Best path possible).
There are two types of source routing – loose and strict. In loose source routing, the sender specifies only some of the nodes that the packet will pass through, while in strict source routing, the complete set of nodes are determined before sending a packet.
Source routing basically utilized for easier troubleshooting and enhanced trace routing. It also allows a node to discover all the possible routes to a destination.
How Does Source Routing Work?
In the Internet Protocol (IPv4), there are built-in header options for a sender of a packet to force the path instead of taking the normal best possible routing implemented by every routing protocol. Specifically, the rarely used Strict Source Route (SSR) and Loose Source Route (LSR) header options are what enables source routing mechanism. In the IPv6, the header that allows for source routing is called Type o Routing (RHo).
In the IPv4, a partial or complete list of nodes on the network can be determined by using the LSR and SSR fields respectively. In this case, node address list can not be greater than 40 bytes long, that is the size maximum size of IPv4 option part of header. This allows for defining 9 routing nodes at most for IPv4 networks.
In IPv6 on the other hand, source routing is implemented in an extension header which is not limited in size. Assuming packet fragmentation is not allowed, IPv6 extension header size will be limited only by the maximum size of a packet defined by TCP MTU (Maximum Transmission Unit). In this case 90 routing nodes can be defined inside a packet where the MTU is 1500 bytes.
To state it upfront, source routing is not considered secure and as suggested by IETF, it needs to be disabled by default on networking devices and on operating systems. Taking this suggestion, almost all network devices produced with a default source routing disabled configuration and most network administrators do not allow for routing. In this sense, IPv4 networks can be considered safe with respect to source routing security issues.
For the IPv6, (which is supposed to be more secure compared to IPv4 by its design goal) RHo turned out to be causing more significant security issues than its IPv4 counterpart, since there were several attacks against it. Thus, it has been deprecated by the IETF, meaning it is not being used currently.
What hackers do is figure out technology and experiment with it in ways many people never imagined. They also have a strong desire to share this information with others and to explain it to people whose only qualifications may be the desire to learn.Emmanuel Goldstein
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
Attack 1: Information Gathering
Even if source routing is not allowed on a network, an attacker can send an IP packet and use the ICMP (Internet Control Message Protocol) response to get information (E.g., operating system) about the target computer or network device. For this reason, the default configuration should be to drop IP source route packets in order to prevent leaking information about the network devices and their configuration.
Attack 2: Network Topology Discovery
Source routing can be used by attackers to probe the network by forcing packets into specific parts of the network. This allows an attacker to collect information about a network’s topology, or other information that could be useful in performing an attack.
Attack 3: IP Spoofing
LSR can allow an attacker to spoof an address and successfully receive response packets by forcing return traffic for spoofed packets to pass through the attacker’s device. For this reason, packets marked as LSR are usually blocked on the Internet.
Attack 4: Bypass Security Measures
As an another method of exploiting source routing, during an attack, an attacker can direct packets in a way that existing security restrictions can be bypassed.
Attack 5: Network Congestion (DoS)
As explained above, in IPv6, source routing is implemented in an extension header which is not limited in size. Depending on the the IPv6 configuration, this can allow an attacker to define 90 nodes or more to force packets to pass through on the network. This could lead an attacker with limited upload link to congest the network significantly, resulting in DoS (Denial of Service).
For the reasons described above briefly, source routing should not be allowed on any network devices and operating systems by default. Also, as a best practice, source routing packets should be dropped to prevent any kind of information leakage that attackers can use to conduct attacks.
You could also read our popular articles What is a Security Vulnerability? or What is Vulnerability Scanning?