Firewalls: RE: Just a little question on source routing...

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Just a little question on source routing...
From:	Dana Nowell <DanaNowell @ corsof . com>
Date:	Mon, 18 Nov 1996 08:23:22 -0500
To:	jjorel @ silr . ireste . fr
Cc:	Firewalls @ greatcircle . com

On Mon, 11 Nov 1996 08:26:17 -0100 Jean-Charles JOREL said:
>
>Hello,
>
>	I met a new kernel message on my linux box that i had never
>	encountered before.
>
>	Here a sample of my /var/adm/messages:
>
>Nov 15 00:25:53 silr kernel: ICMP: 192.48.96.17: Source Route Failed.
>Nov 15 03:29:14 silr kernel: ICMP: 192.48.96.7: Source Route Failed.
>Nov 15 03:30:12 silr kernel: ICMP: 192.48.96.14: Source Route Failed.
>Nov 15 03:51:39 silr kernel: ICMP: 192.48.96.14: Source Route Failed.
>Nov 15 05:58:07 silr kernel: ICMP: 192.48.96.14: Source Route Failed.
>Nov 15 06:34:14 silr kernel: ICMP: 192.48.96.8: Source Route Failed.
>Nov 15 06:42:07 silr kernel: ICMP: 192.48.96.7: Source Route Failed.
>Nov 15 06:57:48 silr kernel: ICMP: 192.48.96.16: Source Route Failed.
>Nov 15 08:33:12 silr kernel: ICMP: 134.32.107.21: Source Route Failed.
>
>	My question is simple!
>
>	These messages are producted by a bad config of my linux box, or
>	they are logs of source routing attack on my host??? :(

I've seen this on Linux boxes with traffic from a specific site.  The site
was using a packet filtering router at that time and packets were being
rejected, the rejects caused the problem.  
Happened in my case because the site wanted different internal and external
mail routing so it advertized all internal sites with a low MX value then
advertized the mail hub with a higher value.  All mail destined for
'internal' machines bounces the first time due to packet filter block, then
succeeds via the hub record (the hub delivers internally correctly because
of the first MX record, what a pain in the butt).  Since we do alot of
business with these people, it caused quite a flurry of activity.

For the record, I complained about the mail routing (and the type of reject)
and was told, we don't know how else to solve the problem.  So I told them,
then they decided they didn't have the resources to maintain that type of
solution.  After awhile I gave up.  Now I drop them (if source routed, punt
packet) at the front door. Hope you have better luck with your problem.


Dana Nowell                               Voice (603) 595-7480 EXT 28
Cornerstone Software Inc.                 FAX   (603) 882-7313
Work: DanaNowell @
 corsof .
 com               Home: dana @
 nowell .
 mv .
 com
MIME attachments preferred, BINHEX and uuencoded acceptable.
As usual, I speak only for myself.

Indexed By Date	Previous:	Re: Microwave & Satelite From: Robert Black <r . black @ ic . ac . uk>
Indexed By Date	Next:	Re: Question ? From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread	Previous:	Just a little question on source routing... From: Jean-Charles JOREL <jjorel @ silr . ireste . fr>
Indexed By Thread	Next:	Question ? From: RAGHAVENDRA M <cs93318 @ rohini>