com, replying to (I think) paul @
>> Either pre-fill the packet with enough (bogus?) recorded routes to
>> fill the IP options field
>That would be hard to get around, yes. Any magic tag you put in there
>to say "this is REAL recorded info" can be spoofed by the attacker too.
>Hmmm... I don't know enough to think of a counter to that.
You have to use due care. At some topological positions in the
Internet, you'd strip out any RR options you found, and replace them,
at others, you'd leave them alone and just record yourself in it.
For example, at ingress from a customer to an ISP, you'd strip
and replace. At ingress from an untrusted or unco-operative downstream
ISP, you might do the same. In the middle of the cloud, or at any sort of
egress from it, you'd respect any existing option.
It's by no means perfect, I figure it's about as useful as the
return path header in a usenet article -- quite possibly has some useful
info in it, but it's a *starting* *point* for investigation, not a
>> Besides, the backbone routers of most service providers probably
>> can't do this and keep up with current traffic loads, since any
>> packet rewriting is generally out of the fast path...
>It would probably be possible to get that fixed if this turns into a big
You'd do the hard work at the edges, and only update the RR options
in the middle. This is hard enough, and is indeed out of the slow path for
most everything. However, you'd only be doing it to SYN packets, which
account for something like 10% or less of the traffic. Assuming that
essentially all traffic is legitimate, you have 5 setup/teardown packets and
at least 1 data packet for a TCP connection, and RR options would, by and
large, appear only in 1 of those (or possibly 2, depending). All UDP
traffic, and at least 5/6 of the TCP traffic could still be fast-pathed.
And, to be sure, it's a fairly safe bet that the fast path would
learn about RR options, quickly, if this became standard practice.
Regardless, the main thing is to persuade the bulk of front-line
connectivity providers to filter out bogus source addresses. I called up
my ISP already, and also told our network security guys to filter at our
router as well. Everyone else on this list has done the same, right? ;)