9 - 1
IP Routing – SANS GIAC LevelTwo
©2000, 2001
1
IP Routing
After completion of this webcast, the student will have a good foundation of how packets are routed
across IP networks. First we will examine the concept of static routing that most hosts use to decide
how to send traffic originating from the local host. We will also briefly introduce the Ethernet
protocol, since the majority of the IP network traffic is routed using this link layer medium. Much of
the traffic that needs to be routed is between hosts on the same physical network and that is where
the link layer comes into play.
Routing protocols provide the basis by which information is transferred between hosts on the
Internet. We’ll look at these protocols that provide for dynamic routing. They are divided into
major categories based on a specific operating environment. Besides explaining these various
environments, we will examine their potential strengths and weaknesses. Furthermore, we will
attempt to provide a basic overview of how the different protocols are susceptible to attack and how
some of these threats can be mitigated through simply router configuration changes.
9 - 2
IP Routing – SANS GIAC LevelTwo
©2000, 2001
2
Objectives
•Static Routing
– Sending packets from the local host
• Address Resolution Protocol (ARP)
– Getting packets from hop to hop
– Examples of malicious activity
• IP Options
– Loose source routing
– Strict source routing
• Dynamic Routing Protocols

1.2.3.0 1.2.3.4 U 3 5 le0
127.0.0.1 127.0.0.1 UH 0 472 lo0
default 1.2.3.1 UG 0 5444
Look at the “Local Routing Table” slide to see a Unix host’s relatively static list of routes. The routing
decisions are made based on the destination of the traffic that is to be sent. This table was generated using the
netstat command with the -r n options that indicate to list the routing table, but do not try to resolve IP
numbers to host names. This routing table is for host 1.2.3.4 on the 1.2.3.0 network.
The first line in the table says that any traffic bound for the 1.2.3.0 network should be directed through the
local host 1.2.3.4 using interface le0 which is one of its network interface designations. The flag of U says
that this route is up and the reference count indicates how many current connections are established through
that interface and the use column indicates how many packets have traveled through the interface.
The second line is for the local loopback address that is designated as 127.0.0.1. Some processes such as X
terminal applications (Netscape) require that the host talk to itself and this is the interface through which that
occurs.
The final line indicates the default destination that traffic should be sent if it doesn’t match any of the other
destinations in the routing table. This is a default gateway (noted with the G in the Flags column) which is a
router that will forward the traffic and direct it a hop closer to its final destination. This is used for traffic that
is destined for somewhere other than the 1.2.3.0 network and the local host.
9 - 5
IP Routing – SANS GIAC LevelTwo
©2000, 2001
5
Static Routing Decisions
• IP layer searches the routing table in the following
manner:
– Search for a matching host address
– Search for a matching network address
– Search for a default entry
Turning to slide “Static Routing Decisions” ,we see how the IP layer uses a routing mechanism to
make routing decisions of which interface to direct traffic. If the destination host matches the

IP Routing – SANS GIAC LevelTwo
©2000, 2001
7
How Are Routes Changed?
• ICMP redirect messages
• ICMP router discovery messages
Slide “How are Routes Changed?” lists the ways in which a relatively static routing table can be
informed of best routes or changing conditions on the network. A host might have entries in the
routing table that are not the most efficient ones. When this happens ICMP redirect messages are
sent to the host by a router that detects it is not the optimum router to be used. The host will adjust
its routing tables to use a more optimum router when sending traffic the next time to the destination
address that elicited the message.
Hosts that use the ICMP router discovery protocol (IRDP) can receive periodic advertisements of
available routers. They can change their routing tables to reflect any new information received.
9 - 8
IP Routing – SANS GIAC LevelTwo
©2000, 2001
8
Redirect
non-optimum
router
misguided
sending host
target host
optimum router
send datagram to target host
use optimum router next time
datagram delivered to target host
non-optimum.router > sending.host : icmp: redirect target.host to net
optimum.router

protocol router advertisement.
The duped.host listens for IRDP advertisements, receives one from spoofing.host, and changes its
routing table so that the default router is 4.4.4.4. Router 4.4.4.4 does not exist or is not accessible to
duped.host on the local network. So, all traffic that duped.host sends outbound will end up in a black
hole essentially causing a denial of service for outbound traffic for duped.host.
9 - 10
IP Routing – SANS GIAC LevelTwo
©2000, 2001
10
IRDP Windows Exploit
windows.host
192.168.59.181
default.router
192.168.59.1
Actual default route
redirected default route
ICMP router
advertisement
spoofing.host
192.168.59.5
Network Dest Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.59.1 192.168.59.181 1
0.0.0.0 0.0.0.0 192.168.59.5 192.168.59.181 0
Actual router
Bogus router
Let’s examine an IDRP attack seen on the slide “IRDP Windows Exploit”. As the name implies this attack is
mostly limited to Windows hosts (95, 98 and 2000) although some Solaris hosts too are susceptible. If a
Windows hosts runs as a Dynamic Host Configuration Protocol (DHCP) client, it will obtain its default route
from the DHCP server. However, using IRDP Router Advertisements, a Windows host can be convinced to
use a different (incorrect) default route.

interface and closer to its destination. This is called static routing because these tables are relatively
stable and initialized with boot scripts or using ICMP router discovery protocol to populate the table.
Changes can be made to the routing tables using two different ICMP messages. The ICMP redirect
message informs the sending host that a given router used to send traffic to a given destination is not
the best one and informs the host of the better router. Also, IRDP messages inform the host of
changing conditions on the network and allow it to update its routing tables accordingly. As you’ve
witnessed, ICMP has no way of authenticating whether received messages are genuine and this is
sometimes exploited using man-in-the-middle or denial of service attacks. It is wise to disallow
these types of ICMP messages from entering your network from the outside.
9 - 12
IP Routing – SANS GIAC LevelTwo
©2000, 2001
12
Address Resolution Protocol
(ARP)
Our next section begins with the “Address Resolution Protocol” slide. The basic foundation to the
movement of IP packets across a physical network is enabled by the the Address Resolution Protocol
(ARP). This protocol, specified by RFC 826, provides the mechanism by which a host can map an
IP address to a hardware address, as well as caching this information for efficiency.
9 - 13
IP Routing – SANS GIAC LevelTwo
©2000, 2001
13
Why do we need ARP?
Sending packets to hosts on the local subnet
Router
S
e
n
d

ARP provides a mechanism to determine the hardware addresses
of hosts on local network
Turning to the slide “Why do we need ARP?” we will examine exactly what the ARP protocol
provides us. Whenever computers communicate, they transmit packets which must travel from one
host to another host, usually via intermediate routers. While the IP address is used to route the
packet to its final destination, the packets travel from intermediate hop to intermediate hop using
Media Access Control (MAC) addresses. To make a distinction; the IP address is a "logical" address;
the MAC is more of a "hardware" address. ARP is concerned with mapping the "logical" address to
the "hardware" address.
To maximize efficiency, hosts maintain an ARP table that lists the local hosts that have been
communicating with it recently. The entries eventually timeout if there is no communication with
the host in a specified period.
9 - 14
IP Routing – SANS GIAC LevelTwo
©2000, 2001
14
ARP Request
172.21.164.50 00:E0:29:3D:B0:4D
IP Address
MAC Address
Initial ARP Cache for host A
arp who-has 172.21.164.75 tell 172.21.164.140
172.21.164.140
172.21.164.110
172.21.164.75
A
B
C
The next slide is entitled “ARP Request”. Host A wants to communicate with host B. Host A’s
ARP cache does not contain an entry with B’s IP address (172.21.164.75). Therefore, A broadcasts

16
Malicious ARP packets
172.21.164.50 00:E0:29:3D:B0:4D
172.21.164.75
IP Address
MAC Address
172.21.164.140
172.21.164.110
172.21.164.75
A
B
C
arp reply 172.21.164.75 is-at 0:90:27:73:d1:31
00:90:27:73:D1:31
Updated ARP Cache for Host A
00:90:27:73:D1:31
The next slide is “Malicious ARP Packets”. By altering a host’s ARP table, an attacker can alter
the course that packets take. Although packets transmitted after the table alteration will contain the
correct IP address, they will fail to reach the correct destination because their MAC address is
wrong.
In the example shown on the previous slide, host A’s ARP table contains an entry for host B. Host
C now sends out an unsolicited ARP reply to A stating that host B is at host C’s MAC address
(Using the source IP address for B in the reply). Host A updates its ARP table, thinking that the
information came from B. Now any packets that A tries to send to B will be redirected to Host C. In
this example, host C has launched an successful ARP spoofing attack against A. Host C can now
exploit any trusted relations between hosts A and B.
One saving note is that the ARP messages are only valid on the local network. They will not cross a
router. Therefore to perform these malicious ARP spoofing attacks, the attacker must reside on the
local network.
9 - 17

insure that these malicious packets do not enter their networks. Secondly, they will be able to look
for these packets to verify that their protective measures are configured correctly.
9 - 19
IP Routing – SANS GIAC LevelTwo
©2000, 2001
19
What are IP options?
Security
Loose Source Routing
Strict Source Routing
Record Route
Stream Identification
Internet Timestamp
These Options represent
potential security holes that
can be used to attack your
network.
The next slide is “What are IP Options?”. Initially these options were designed as an enhancement
to the IP protocol to perform specific functions and provide alternate methods of tracking and
routing packets. The IP Options are:
Security
Loose Source Routing
Strict Source Routing
Record Route
Stream ID
Internet Timestamp
The main options that we are interested in are highlighted in bold. These are the options that deal
with routing. Two of these options alter the normal path that a routed packet would take as it travels
through a network, while the third option records the path that a packet takes. By altering the normal
route, these options (if supported) can pose a tremendous risk to the security of the network by

Loose Source Routing
Loose source routing specifies only some of the
intermediate hops on the route. Example illustrates loose
source route through Y.
Router
Router
Router
A
R
P
Y
X
Router
D
Normal Route
The next slide is “Loose Source Routing”. Loose source routing specifies a route that includes a
list of required nodes through which the packet must traverse. In the example shown, the option list
will initially contain the IP address Y. The initiating host uses the option address Y as the
destination address for the packet and places the address X on the option list.
Loose Source routing refers to that fact that any number of intermediate routers may be traversed
between the routers listed in the options list. In our example, the first hop does not happen to be Y.
Instead, the packet must first go through P to reach Y.
9 - 22
IP Routing – SANS GIAC LevelTwo
©2000, 2001
22
Strict Source Routing
Strict source routing specifies a group of up to 9
intermediate routers beginning at the source
address that the packets must traverse through.

Router
Router
Router
A
R
P
Y
X
Router
D
The Record Route Option will collect the
addresses of all of the routers that the packet
went through.
The final option is covered by the slide labeled “Record Route Option”. Unlike the previous IP
options that we have discussed, the record route option does not alter the routing of the packet. It
simply records the addresses of all of the routers that the packet travels through. This information
represents extremely valuable reconnaissance information to an attacker.
In the example shown on the slide, the IP option list will contain the following addresses that were
discovered during its traversal from host A to host X: P, D, and R.
9 - 24
IP Routing – SANS GIAC LevelTwo
©2000, 2001
24
Detecting Source Routing
• IP header is greater than 20 bytes
• IP option field has a hexadecimal value of:
83: loose source routing
89: strict source routing
ip[0] & 0xf > 5 and (ip[20] = 0x83 or ip[20] = 0x89)
14:19:31.800000 1.2.3.4 > 192.168.5.5: icmp: echo reply (DF)

Appears to be
traffic from
trusted host
Let’s take a look at one of the malicious uses of source routing on slide “Source Route Exploit”. In this slide,
we’ve got a spoofing host sending traffic to a target host pretending to be a trusted host. Normally, if a
spoofing host sends a bogus source IP number pretending to be trusted host and the target host receives the
traffic, any response will be sent back to the real trusted host. However, if source routing is allowed into the
network of the target host, we have just managed to subvert dynamic routing and have dictated the path we
want the datagram to take on its return trip – namely back to the spoofing host.
In this manner, we see that we can emulate a trusted host relationship with the target host. For instance, if the
target host allows access to the host based on trust – perhaps no need for a password, we have just subverted
that relationship. Obviously, this is something that you do not want to allow into your network. Most routers
provide a command that disables the route options. For Cisco’s IOS, the command is simply “no ip source-
route”. Verifying that these options have been disabled is extremely important to the security of your
network.
Some spoofing attacks can also be eliminated through the use of packet filters. Almost every router should
contain a filter that drops any packets that are attempting to enter a network with a source address equal to one
of the addresses that are part of the destination network. These packets have obviously been spoofed.