9 - 1
IP Routing – SANS GIAC LevelTwo
©2000, 2001
1
IP Routing
After completion of this webcast, the student will have a good foundation of how packets are routed
across IP networks. First we will examine the concept of static routing that most hosts use to decide
how to send traffic originating from the local host. We will also briefly introduce the Ethernet
protocol, since the majority of the IP network traffic is routed using this link layer medium. Much of
the traffic that needs to be routed is between hosts on the same physical network and that is where
the link layer comes into play.
Routing protocols provide the basis by which information is transferred between hosts on the
Internet. We’ll look at these protocols that provide for dynamic routing. They are divided into
major categories based on a specific operating environment. Besides explaining these various
environments, we will examine their potential strengths and weaknesses. Furthermore, we will
attempt to provide a basic overview of how the different protocols are susceptible to attack and how
some of these threats can be mitigated through simply router configuration changes.
9 - 2
IP Routing – SANS GIAC LevelTwo
©2000, 2001
2
Objectives
•Static Routing
– Sending packets from the local host
• Address Resolution Protocol (ARP)
– Getting packets from hop to hop
– Examples of malicious activity
• IP Options
– Loose source routing
– Strict source routing
• Dynamic Routing Protocols
– Interior Gateway Protocols
– Exterior Gateway Protocols
The “Objectives” slide outlines the different topics that we will be covering. First, we will look at
static routing which hosts employ to send traffic. Then, we’ll examine the protocols involved in the
transmission of packets on the local network. This will be followed by a discussion of IP options
and how they can be used to alter the course of packets as they travel toward their destination.
Then various protocols that govern how packets traverse IP networks will be investigated.
Specifically, we will examine all of the protocols that affect the transmission of a packet from one
host to another. This transmittal can be as simple a sending a packet from one host to another on the
same local subnet, or as complex as sending a packet across the world.
9 - 3
IP Routing – SANS GIAC LevelTwo
©2000, 2001
3
Static Routing
All hosts regardless if they are routers or not have to be able to make initial decisions about how to
send traffic from the local host. They maintain a basic list known as a routing table that directs
traffic from the local host based on its final destination. This table is referenced often by the host
sending traffic, yet it is not updated very frequently – hence the name static routing.
In this section, we will examine the types of decisions hosts need to make about routing traffic and
some of the susceptibilities and exploits associated with static routing.
9 - 4
IP Routing – SANS GIAC LevelTwo
©2000, 2001
4
Local Routing Table
netstat -rn
Routing Table:
Destination Gateway Flags Ref Use Interface
---------------- ------------- ----- ----- ------ ---------
1.2.3.0 1.2.3.4 U 3 5 le0
127.0.0.1 127.0.0.1 UH 0 472 lo0
default 1.2.3.1 UG 0 5444
Look at the “Local Routing Table” slide to see a Unix host’s relatively static list of routes. The routing
decisions are made based on the destination of the traffic that is to be sent. This table was generated using the
netstat command with the -r n options that indicate to list the routing table, but do not try to resolve IP
numbers to host names. This routing table is for host 1.2.3.4 on the 1.2.3.0 network.
The first line in the table says that any traffic bound for the 1.2.3.0 network should be directed through the
local host 1.2.3.4 using interface le0 which is one of its network interface designations. The flag of U says
that this route is up and the reference count indicates how many current connections are established through
that interface and the use column indicates how many packets have traveled through the interface.
The second line is for the local loopback address that is designated as 127.0.0.1. Some processes such as X
terminal applications (Netscape) require that the host talk to itself and this is the interface through which that
occurs.
The final line indicates the default destination that traffic should be sent if it doesn’t match any of the other
destinations in the routing table. This is a default gateway (noted with the G in the Flags column) which is a
router that will forward the traffic and direct it a hop closer to its final destination. This is used for traffic that
is destined for somewhere other than the 1.2.3.0 network and the local host.
9 - 5
IP Routing – SANS GIAC LevelTwo
©2000, 2001
5
Static Routing Decisions
• IP layer searches the routing table in the following
manner:
– Search for a matching host address
– Search for a matching network address
– Search for a default entry
Turning to slide “Static Routing Decisions” ,we see how the IP layer uses a routing mechanism to
make routing decisions of which interface to direct traffic. If the destination host matches the
routing table’s destination entry, the traffic is routed through the corresponding interface. If there is
no such matching entry, then the destination address is compared against all the routing table
destination entries to see if the network addresses match. The network address is determined by
combining the specified IP address and the subnet mask for the network. The first match is sent to
the specified network interface. Finally, if nothing else matches, the traffic is sent to the interface
with the “default” designation. This is usually a router on the same local network that will forward
the traffic to the destination.
Many hosts do not act as routers meaning that they do not forward traffic received through one
interface to another interface. Yet, they still need to be able to route traffic generated on the local
host to the correct interface. This is an important distinction.
9 - 6
IP Routing – SANS GIAC LevelTwo
©2000, 2001
6
How Are Routes Added?
• Static routes are typically added during the boot
process
• Administrative changes can be made with the “route”
command
• ICMP router discovery messages
The next topic of discussion “How Are Routes Added?” is found on the following slide. Since
these routes are fairly static, they should be assigned during the boot process and remain mostly
unchanged. Some Unix systems have a file /etc/defaultrouter that initializes the routes; others
configure the routes in the boot scripts using the route command. The route command can be used
by the administrator to make changes for new interfaces.
Another way for a host to receive initial routes after the boot process is to issue a router solicitation
message using ICMP router discovery. Routers can respond to these solicitations to inform the host
of the router IP addresses along with a lifetime or number of seconds that the advertised router
addresses are considered to be valid.
9 - 7
IP Routing – SANS GIAC LevelTwo
©2000, 2001
7
How Are Routes Changed?
• ICMP redirect messages
• ICMP router discovery messages
Slide “How are Routes Changed?” lists the ways in which a relatively static routing table can be
informed of best routes or changing conditions on the network. A host might have entries in the
routing table that are not the most efficient ones. When this happens ICMP redirect messages are
sent to the host by a router that detects it is not the optimum router to be used. The host will adjust
its routing tables to use a more optimum router when sending traffic the next time to the destination
address that elicited the message.
Hosts that use the ICMP router discovery protocol (IRDP) can receive periodic advertisements of
available routers. They can change their routing tables to reflect any new information received.
9 - 8
IP Routing – SANS GIAC LevelTwo
©2000, 2001
8
Redirect
non-optimum
router
misguided
sending host
target host
optimum router
send datagram to target host
use optimum router next time
datagram delivered to target host
non-optimum.router > sending.host : icmp: redirect target.host to net
optimum.router
The “ICMP Redirect” message discussed on the next slide allows a router to tell a sending host that
it is not the optimum router to be used for sending the traffic to the desired destination. The non-
optimum router forwards the traffic to the destination, but informs the sending host to change its
routing table so that a more optimum router is chosen the next time traffic is sent to the same
destination host.
In the case of the above slide, we have a misguided sending host attempting to send traffic to the
target host. It routes the traffic through the non-optimum router that forwards the traffic. However,
it issues an ICMP redirect to the misguided sending host to use the optimum router the next time.
Most hosts will perform some checks before changing their routing tables:
1) The optimum router must be on the directly connected network
2) The redirect must be from the non-optimum router that was attempted
3) The redirect must not tell the host to use itself as the optimum router
4) The optimum router must be a router and not a host
9 - 9
IP Routing – SANS GIAC LevelTwo
©2000, 2001
9
IRDP DoS Exploit
spoofing.host > duped.host : icmp: router advertisement
duped.host default.router
normal route
redirected default
route
IRDP
message
spoofing.host
black hole
4.4.4.4
Now, for a different type of scenario for malicious ICMP messages, look at the next slide “IRDP
DoS Exploit”. In this case, we have a local or remote host that spoofs an ICMP router discovery
protocol router advertisement.
The duped.host listens for IRDP advertisements, receives one from spoofing.host, and changes its
routing table so that the default router is 4.4.4.4. Router 4.4.4.4 does not exist or is not accessible to
duped.host on the local network. So, all traffic that duped.host sends outbound will end up in a black
hole essentially causing a denial of service for outbound traffic for duped.host.
9 - 10
IP Routing – SANS GIAC LevelTwo
©2000, 2001
10
IRDP Windows Exploit
windows.host
192.168.59.181
default.router
192.168.59.1
Actual default route
redirected default route
ICMP router
advertisement
spoofing.host
192.168.59.5
Network Dest Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.59.1 192.168.59.181 1
0.0.0.0 0.0.0.0 192.168.59.5 192.168.59.181 0
Actual router
Bogus router
Let’s examine an IDRP attack seen on the slide “IRDP Windows Exploit”. As the name implies this attack is
mostly limited to Windows hosts (95, 98 and 2000) although some Solaris hosts too are susceptible. If a
Windows hosts runs as a Dynamic Host Configuration Protocol (DHCP) client, it will obtain its default route
from the DHCP server. However, using IRDP Router Advertisements, a Windows host can be convinced to
use a different (incorrect) default route.
As you’ve no doubt witnessed from previous IRDP exploits, the ICMP Router Advertisement packets have no
way to authenticate that the sender is a legitimate trusted host. Therefore, if we can dupe the Windows host
into believing an incorrect default route, we can reroute data leaving the targeted host.
The means by which this is done is by sending a Router Advertisement that contains two or more router
addresses to the target Windows host. Normally, if just one router address is included in the Router
Advertisement, the receiving host examines the source IP to make sure if it is in the same subnet. However,
this same check erroneously is not validated for subsequent addresses in the Router Advertisement.
Therefore, a host outside the network can spoof multiple Router Advertisements and send them to the target
host (assuming the site does not block this type of ICMP message inbound).
Another field in the Router Advertisement tells the metric to be used. The formula for computing this for
Windows hosts is to subtract 1000 from the received metric value. In other words, if the metric in the Router
Advertisement that is sent is 1000, the receiving host will assign a metric of 0 to this route. What this
effectively does is to give this metric a higher precedence than the existing default router entry with a default
metric of 1. Look at part of the Windows routing table above to see the default and bogus entries. At this
point, traffic will be redirected to the default router assigned by the Router Advertisement packet with a metric
of 0. The man-in-the-middle host would then have to have IP forwarding on to send the wayward packets
through the real router.
This attack was submitted as for GIAC certification by Kevin Black. Many thanks to Kevin for his great
analysis.
9 - 11
IP Routing – SANS GIAC LevelTwo
©2000, 2001
11
Static Routing Review
• Hosts maintain tables of destination routes
• These tables are normally static
• Initialized by boot scripts or IRDP
• ICMP messages can change entries
Slide “Static Routing Review” summarizes what we’ve learned in this section. Each host has a
routing table that is the mechanism used by the IP layer to direct traffic from the host to the correct
interface and closer to its destination. This is called static routing because these tables are relatively
stable and initialized with boot scripts or using ICMP router discovery protocol to populate the table.
Changes can be made to the routing tables using two different ICMP messages. The ICMP redirect
message informs the sending host that a given router used to send traffic to a given destination is not
the best one and informs the host of the better router. Also, IRDP messages inform the host of
changing conditions on the network and allow it to update its routing tables accordingly. As you’ve
witnessed, ICMP has no way of authenticating whether received messages are genuine and this is
sometimes exploited using man-in-the-middle or denial of service attacks. It is wise to disallow
these types of ICMP messages from entering your network from the outside.
9 - 12
IP Routing – SANS GIAC LevelTwo
©2000, 2001
12
Address Resolution Protocol
(ARP)
Our next section begins with the “Address Resolution Protocol” slide. The basic foundation to the
movement of IP packets across a physical network is enabled by the the Address Resolution Protocol
(ARP). This protocol, specified by RFC 826, provides the mechanism by which a host can map an
IP address to a hardware address, as well as caching this information for efficiency.
9 - 13
IP Routing – SANS GIAC LevelTwo
©2000, 2001
13
Why do we need ARP?
Sending packets to hosts on the local subnet
Router
S
e
n
d
i
n
g
p
a
c
k
e
t
s
t
o
l
o
c
a
l
g
a
t
e
w
a
y
Router
Sending packets between adjacent gateways
ARP provides a mechanism to determine the hardware addresses
of hosts on local network
Turning to the slide “Why do we need ARP?” we will examine exactly what the ARP protocol
provides us. Whenever computers communicate, they transmit packets which must travel from one
host to another host, usually via intermediate routers. While the IP address is used to route the
packet to its final destination, the packets travel from intermediate hop to intermediate hop using
Media Access Control (MAC) addresses. To make a distinction; the IP address is a "logical" address;
the MAC is more of a "hardware" address. ARP is concerned with mapping the "logical" address to
the "hardware" address.
To maximize efficiency, hosts maintain an ARP table that lists the local hosts that have been
communicating with it recently. The entries eventually timeout if there is no communication with
the host in a specified period.
9 - 14
IP Routing – SANS GIAC LevelTwo
©2000, 2001
14
ARP Request
172.21.164.50 00:E0:29:3D:B0:4D
IP Address
MAC Address
Initial ARP Cache for host A
arp who-has 172.21.164.75 tell 172.21.164.140
172.21.164.140
172.21.164.110
172.21.164.75
A
B
C
The next slide is entitled “ARP Request”. Host A wants to communicate with host B. Host A’s
ARP cache does not contain an entry with B’s IP address (172.21.164.75). Therefore, A broadcasts
an ARP request seeking the information. This request is broadcast to all of the hosts on the local
network, since A does not know which host has the IP address in question.
9 - 15
IP Routing – SANS GIAC LevelTwo
©2000, 2001
15
ARP Reply
172.21.164.50 00:E0:29:3D:B0:4D
172.21.164.75 00:E0:29:44:48:82
IP Address
MAC Address
Updated ARP Cache for host A
arp reply 172.21.164.75 is-at 0:E0:29:44:48:82
172.21.164.140
172.21.164.110
172.21.164.75
A
B
C
Turning to the slide “ARP Reply”, we can see how A’s ARP request is answered. After seeing the
ARP request for 172.21.164.75, host B sends an ARP reply to host A indicating that it is located at
00:E0:29:44:48:82.
When A receives this information it updates the ARP cache by adding an entry for 172.21.164.75.
Now host A can send packets to host B. And as long as the entry remains in the cache, host A does
not need to issue any more ARP requests to send datagrams to host B because he now has the
hardware address of host B. Host B also caches the information from host A about its IP address and
MAC address.
9 - 16
IP Routing – SANS GIAC LevelTwo
©2000, 2001
16
Malicious ARP packets
172.21.164.50 00:E0:29:3D:B0:4D
172.21.164.75
IP Address
MAC Address
172.21.164.140
172.21.164.110
172.21.164.75
A
B
C
arp reply 172.21.164.75 is-at 0:90:27:73:d1:31
00:90:27:73:D1:31
Updated ARP Cache for Host A
00:90:27:73:D1:31
The next slide is “Malicious ARP Packets”. By altering a host’s ARP table, an attacker can alter
the course that packets take. Although packets transmitted after the table alteration will contain the
correct IP address, they will fail to reach the correct destination because their MAC address is
wrong.
In the example shown on the previous slide, host A’s ARP table contains an entry for host B. Host
C now sends out an unsolicited ARP reply to A stating that host B is at host C’s MAC address
(Using the source IP address for B in the reply). Host A updates its ARP table, thinking that the
information came from B. Now any packets that A tries to send to B will be redirected to Host C. In
this example, host C has launched an successful ARP spoofing attack against A. Host C can now
exploit any trusted relations between hosts A and B.
One saving note is that the ARP messages are only valid on the local network. They will not cross a
router. Therefore to perform these malicious ARP spoofing attacks, the attacker must reside on the
local network.
9 - 17
IP Routing – SANS GIAC LevelTwo
©2000, 2001
17
ARP Theory Review
• ARP cache maps IP addresses to MAC addresses
• On physical networks, IP packets travel from hop-to-hop via
MAC addresses
• Many hosts accept unsolicited ARP replies, allowing spoofing
attacks
• Hosts cache ARP entries in a table for efficiency
•ARP spoofing attacks can only be launched on the local network
Wrapping up this section with “ARP Theory Review”, you’ve learned that ARP is the
communication method used between IP addresses and MAC addresses. All IP datagrams are sent
using MAC addresses. They are hardware addresses of the medium that the packet must travel over.
Those sent outside the local network are set to the router hardware address
A host has no way of authenticating that ARP replies are genuine and is susceptible to accepting and
caching MAC addresses that might not reflect the true host. ARP is a protocol that is limited to the
local network and is not routable.
9 - 18
IP Routing – SANS GIAC LevelTwo
©2000, 2001
18
IP Options
The next section begins with the slide “IP Options”. The IP options are specified in detail in RFC
791, “Internet Protocol”. They are appended to the end of the IP header and get processed by each
router as the packet travels to its destination. As the Internet has grown, however, these options have
become unnecessary. Processing IP options actually reduces the performance of a router because the
options field is of variable length. Nevertheless, several of the options can be used in a malicious
fashion to attack or gain reconnaissance on a network.
By understanding how these options can be misused, an administrator can take proactive steps to
insure that these malicious packets do not enter their networks. Secondly, they will be able to look
for these packets to verify that their protective measures are configured correctly.
9 - 19
IP Routing – SANS GIAC LevelTwo
©2000, 2001
19
What are IP options?
Security
Loose Source Routing
Strict Source Routing
Record Route
Stream Identification
Internet Timestamp
These Options represent
potential security holes that
can be used to attack your
network.
The next slide is “What are IP Options?”. Initially these options were designed as an enhancement
to the IP protocol to perform specific functions and provide alternate methods of tracking and
routing packets. The IP Options are:
Security
Loose Source Routing
Strict Source Routing
Record Route
Stream ID
Internet Timestamp
The main options that we are interested in are highlighted in bold. These are the options that deal
with routing. Two of these options alter the normal path that a routed packet would take as it travels
through a network, while the third option records the path that a packet takes. By altering the normal
route, these options (if supported) can pose a tremendous risk to the security of the network by
bypassing security mechanisms such as firewalls and Intrusion Detection Systems.
9 - 20
IP Routing – SANS GIAC LevelTwo
©2000, 2001
20
IP Route Options
IP Address #1 IP Address #2 IP Address #3 IP Address #9
. . .
code
length ptr
Codes
0x83 - Loose Source Route Option
0x89 - Strict Source Route Option
0x07 - Record Route Option
On the slide, “IP Route Options” the format for the IP options that involve routing is displayed.
The code field defines the type of IP option that is being specified. The length field is used to
determine the number of IP Addresses in the list. And finally, the ptr references which IP address we
are currently at in the option list.
For Loose Source Routing and Strict Source Routing, the initiating host must construct the whole IP
routing list. Each gateway along the way inspects the list. If the pointer is greater than the length,
then the list is exhausted and the gateway routes the packet to its destination. If not, the gateway
fetches the IP address pointed to by the pointer, puts its own IP address in that field and routes the
packet to the address it fetched from the list. Just like record route, when the packet reaches its
destination, it has a list of IP addresses through which it traveled.
For Record Route, the list is empty and accumulates IP addresses as the packet is routed across the
network to it destination.
9 - 21
IP Routing – SANS GIAC LevelTwo
©2000, 2001
21
Loose Source Routing
Loose source routing specifies only some of the
intermediate hops on the route. Example illustrates loose
source route through Y.
Router
Router
Router
A
R
P
Y
X
Router
D
Normal Route
The next slide is “Loose Source Routing”. Loose source routing specifies a route that includes a
list of required nodes through which the packet must traverse. In the example shown, the option list
will initially contain the IP address Y. The initiating host uses the option address Y as the
destination address for the packet and places the address X on the option list.
Loose Source routing refers to that fact that any number of intermediate routers may be traversed
between the routers listed in the options list. In our example, the first hop does not happen to be Y.
Instead, the packet must first go through P to reach Y.
9 - 22
IP Routing – SANS GIAC LevelTwo
©2000, 2001
22
Strict Source Routing
Strict source routing specifies a group of up to 9
intermediate routers beginning at the source
address that the packets must traverse through.
The example illustrates strict route through P,Y,D.
Router
Router
Router
A
R
P
Y
X
Router
D
Normal Route
The next slide is “Strict Source Routing”. Strict source routing specifies the exact route that a
packet will travel between two hosts for up to the first 9 hops. In the example shown, the original
option address list consists of P, Y, and D. The initiating host takes P and uses it as the address of
the initial packet and places the true destination, X, as the last entry in option address list, which then
becomes Y, D, and X.
As the packet is routed through the network, each router compares its address to the destination
address of the packet. If they match, then the next address on the option list becomes the new
destination and the ptr is incremented. If the addresses do not match, then the packet is dropped and
an ICMP error message is returned to the initiating host.
If the end of the option list is reached before the final destination is reached, then routing proceeds
normally, until the final destination is reached.
Strict Source routing refers to that fact that the list of routers must be followed exactly as specified in
the option list without any intervening routers, until the list is exhausted.
9 - 23
IP Routing – SANS GIAC LevelTwo
©2000, 2001
23
Record Route Option
Router
Router
Router
A
R
P
Y
X
Router
D
The Record Route Option will collect the
addresses of all of the routers that the packet
went through.
The final option is covered by the slide labeled “Record Route Option”. Unlike the previous IP
options that we have discussed, the record route option does not alter the routing of the packet. It
simply records the addresses of all of the routers that the packet travels through. This information
represents extremely valuable reconnaissance information to an attacker.
In the example shown on the slide, the IP option list will contain the following addresses that were
discovered during its traversal from host A to host X: P, D, and R.
9 - 24
IP Routing – SANS GIAC LevelTwo
©2000, 2001
24
Detecting Source Routing
• IP header is greater than 20 bytes
• IP option field has a hexadecimal value of:
83: loose source routing
89: strict source routing
ip[0] & 0xf > 5 and (ip[20] = 0x83 or ip[20] = 0x89)
14:19:31.800000 1.2.3.4 > 192.168.5.5: icmp: echo reply (DF)
4f
00 0028 b5cb 4000 fe01 b229 0102 0304
c0a8 0505 83
27 0402 0304 0501 0101 0102 etc.
IP header
length
IP options
Examine on the next slide “Detecting Source Routing”. First, we have to detect an IP header of
greater than 20 bytes. The IP header length is stored in the first byte of the IP header in the low
order nibble. Values are given in 32-bit words (4 bytes) so an IP header of greater than 5 might
indicate an IP option. Next, we look at the first byte of the IP option field, which is found in the 20
th
byte of the IP header. Specifically, if we find a value of 83 or 89 in that byte, we can assume we’ve
got source routing.
We see where we’ve detected some traffic that appears to be source routed. We have to dump the
tcpdump output in hexadecimal (-x option of tcpdump) to verify that this is the case. You see that
the IP length is set to the maximum value of a hexadecimal “f” which is a decimal 15. So, we have a
header length of a maximum 60 bytes. We see that this is loose source routing because we find a
value of 83 in the IP options header.
9 - 25
IP Routing – SANS GIAC LevelTwo
©2000, 2001
25
Source Route Exploit
spoofing host
target host
trusted host
router1
router2
router3
Appears to be
traffic from
trusted host
Let’s take a look at one of the malicious uses of source routing on slide “Source Route Exploit”. In this slide,
we’ve got a spoofing host sending traffic to a target host pretending to be a trusted host. Normally, if a
spoofing host sends a bogus source IP number pretending to be trusted host and the target host receives the
traffic, any response will be sent back to the real trusted host. However, if source routing is allowed into the
network of the target host, we have just managed to subvert dynamic routing and have dictated the path we
want the datagram to take on its return trip – namely back to the spoofing host.
In this manner, we see that we can emulate a trusted host relationship with the target host. For instance, if the
target host allows access to the host based on trust – perhaps no need for a password, we have just subverted
that relationship. Obviously, this is something that you do not want to allow into your network. Most routers
provide a command that disables the route options. For Cisco’s IOS, the command is simply “no ip source-
route”. Verifying that these options have been disabled is extremely important to the security of your
network.
Some spoofing attacks can also be eliminated through the use of packet filters. Almost every router should
contain a filter that drops any packets that are attempting to enter a network with a source address equal to one
of the addresses that are part of the destination network. These packets have obviously been spoofed.