I have been experimenting with the socket option SO_DONTROUT as limited
application level protection against a source routing attack. When I open
the socket for
listening (TCP) I set this option, thus all packets which are returned by my
application will not make it back to the originator unless the routing
tables lead it there. Although it does not prevent a bogus node from sending
data to the application, it does prevent data from returning to the node.
Thus, something like sendmail can be "somewhat" more secure about hosts
which contact it.
Any comments on this approach?
The only drawback I have discovered is that seemingly some vendors choose to
implement this and some did not.
Your comments appreciated,
John L. MacFarlane (John .
6487A Calle Real (805) 967-5022
Santa Barbara, California 93117 (805) 964-4507 Fax.