Firewalls: Source Routing & SO

Firewalls
(March 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Source Routing & SO_DONTROUTE
From:	"John L. MacFarlane" <John . MacFarlane @ Software . com>
Date:	Wed, 16 Mar 1994 11:08:31 -0800
To:	firewalls @ GreatCircle . COM

Hello,

I have been experimenting with the socket option SO_DONTROUT as limited 
application level protection against a source routing attack. When I open 
the socket for
listening (TCP) I set this option, thus all packets which are returned by my 
application will not make it back to the originator unless the routing 
tables lead it there. Although it does not prevent a bogus node from sending 
data to the application, it does prevent data from returning to the node. 
Thus, something like sendmail can be "somewhat" more secure about hosts 
which contact it.

Any comments on this approach?

The only drawback I have discovered is that seemingly some vendors choose to 
implement this and some did not.

Your comments appreciated,

John




John L. MacFarlane (John .
 MacFarlane @
 Software .
 com)
Software.com
6487A Calle Real                  (805) 967-5022
Santa Barbara, California 93117   (805) 964-4507 Fax.

Indexed By Date	Previous:	Re: X through a firewall From: Ian Dunkin <imd1707 @ ggr . co . uk>
Indexed By Date	Next:	Re: Security Devices Help needed From: Allen Leibowitz <leibowa @ wl . com>
Indexed By Thread	Previous:	Re: Security Devices Help needed From: Allen Leibowitz <leibowa @ wl . com>
Indexed By Thread	Next:	Telnet application gateway and VMS loginout.exe From: Tom Irwin - 865-1818 <TRI @ psulias . psu . edu>