Configuring this value in the most secure fashion can help to lower the risk for DOS attacks via packet spoofing. The objective of this kind of attack is to flood the target with an overwhelming volume of traffic when the attacker does not care about receiving responses to the attack packet. Packets with spoofed IP addresses are more difficult to filter since they hide the true source of the attack.
Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CSH by CalCom is automating the entire server hardening process. CHS’s unique ability to ‘learn’ your network abolishes the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production hassle-free. want to know more? Click here and get the datasheet.
This blog post will cover:
- What is IP Source Routing Protection Level policy?
- The potential vulnerability in this setting
- Countermeasures for mitigating this vulnerability
- The potential impact of the configuration change
- CalCom’s recommended value
- How to change the configuration
The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) in the SCE.
IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. Microsoft recommends configuring this setting to Not Defined for enterprise environments and to Highest Protection for high-security environments to completely disable source routing.
An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes.
BLIND SPOOFING ATTACKS – PACKET SPOOFING:
Sometimes attackers do not actually need a connection with a server host; rather they just need to spoof a single packet, to do a certain thing. In this case, all an attacker needs to do is to inject a packet/datagram/segment, and set a fake source address. As you can probably see, this is quite a big flaw and security vulnerability in TCP/IP, as the TCP/IP suite makes absolutely no attempt at verifying that the supplied source address is actually the real one.
Say, for example, there is a game that allows you to play against somebody over the Internet, but instead of using the TCP protocol for transferring the data to each opponent, it uses UDP for extra speed. Imagine that the author of the game writes a little routine that made the play quit/submit the game if they send the string “LOSE” in the UDP datagram, and this option is accessed via a little menu on the game. All an attacker has to do to make his opponent lose the game is spoof a UDP datagram to appear as if it originated from your opponent, and inject the string “LOSE” into it. Here is a basic diagram of what would be happening during one of these packet-spoofing attacks:
Host X: SRC (Host C), DATA (“LOSE”) -> Host S
…Host S closes the session, and Host C loses the game…
The datagram sent by Host X (the attacker) had a spoofed source address, pretending to be from Host C (the opponent). The game server receives the datagram, presumed it was from Host C, and consequently ended the game, leaving Host X as the winner.
This does not seem like a huge security flaw, but what if this was a login server we were attacking, which the author had written to automatically execute commands specified by the sender just by checking that the source address was right? Then the system would be at risk.
Configure the MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) entry to a value of Highest protection, source routing is completely disabled.
The possible values for this registry entry are:
- 0, 1, or 2. The default configuration is 1 (source-routed packets are not forwarded).
In the SCE UI, the following list of options appears:
- No additional protection- source-routed packets are allowed.
- Medium- source-routed packets ignored when IP forwarding is enabled.
- Highest protection- source routing is completely disabled.
- Not Defined.
If you configure this value to 2, all incoming source routed packets will be dropped.
CALCOM’S RECOMMENDED VALUE:
Highest protection, source routing is completely disabled (2)
HOW TO CONFIGURE:
The policy referenced configures the following registry value:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
Value Name: DisableIPSourceRouting
Value Type: REG_DWORD
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)” to “Highest protection, source routing is completely disabled”.