Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding Network Reconnaissance Using IP Options
The IP standard RFC 791, Internet Protocol, specifies a set of options for providing special routing controls, diagnostic tools, and security.
RFC 791 states that these options are “unnecessary for the most common communications” and, in reality, they rarely appear in IP packet headers. These options appear after the destination address in an IP packet header, as shown in Figure 59. When they do appear, they are frequently being put to some illegitimate use.
Figure 59: Routing Options
This topic contains the following sections:
Uses for IP Packet Header Options
Table 69 lists the IP options and their accompanying attributes.
Table 69: IP Options and Attributes
Type | Class | Number | Length | Intended Use | Nefarious Use |
|---|---|---|---|---|---|
End of Options | 0* | 0 | 0 | Indicates the end of one or more IP options. | None. |
No Options | 0 | 1 | 0 | Indicates there are no IP options in the header. | None. |
Security | 0 | 2 | 11 bits | Provides a way for hosts to send security, TCC (closed user group) parameters, and Handling Restriction Codes compatible with Department of Defense (DoD) requirements. (This option, as specified in RFC 791, Internet Protocol, and RFC 1038, Revised IP Security Option, is obsolete.) Currently, this screen option is applicable only to IPv4. | Unknown. However, because it is obsolete, its presence in an IP header is suspect. |
Loose Source Route | 0 | 3 | Varies | Specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other devices in between those specified. | Evasion. The attacker can use the specified routes to hide the true source of a packet or to gain access to a protected network. |
Record Route | 0 | 7 | Varies | Records the IP addresses of the network devices along the path that the IP packet travels. The destination machine can then extract and process the route information. (Due to the size limitation of 40 bytes for both the option and storage space, this can only record up to 9 IP addresses.) Currently, this screen option is applicable only to IPv4. | Reconnaissance. If the destination host is a compromised machine in the attacker's control, he or she can glean information about the topology and addressing scheme of the network through which the packet passed. |
Stream ID | 0 | 8 | 4 bits | (Obsolete) Provided a way for the 16-bit SATNET stream identifier to be carried through networks that did not support the stream concept. Currently, this screen option is applicable only to IPv4. | Unknown. However, because it is obsolete, its presence in an IP header is suspect. |
Strict Source Route | 0 | 9 | Varies | Specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field. Currently, this screen option is applicable only to IPv4. | Evasion. An attacker can use the specified routes to hide the true source of a packet or to gain access to a protected network. |
Timestamp | 2** | 4 |
| Records the time (in coordinated universal time [UTC]***) when each network device receives the packet during its trip from the point of origin to its destination. The network devices are identified by IP address. This option develops a list of IP addresses of the devices along the path of the packet and the duration of transmission between each one. Currently, this screen option is applicable only to IPv4. | Reconnaissance. If the destination host is a compromised machine in the attacker's control, he or she can glean information about the topology and addressing scheme of the network through which the packet has passed. |
* The class of options identified as 0 was designed to provide extra packet or network control. ** The class of options identified as 2 was designed for diagnostics, debugging, and measurement. *** The timestamp uses the number of milliseconds since midnight UTC. UTC is also known as Greenwich Mean Time (GMT), which is the basis for the international time standard. | |||||
Screen Options for Detecting IP Options Used for Reconnaissance
The following screen options detect IP options that an attacker can use for reconnaissance or for some unknown but suspect purpose:
- Record Route—Junos OS detects packets where the IP option is 7 (record route) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- Timestamp—Junos OS detects packets where the IP option list includes option 4 (Internet timestamp) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- Security—Junos OS detects packets where the IP option is 2 (security) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
- Stream ID—Junos OS detects packets where the IP option is 8 (stream ID) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.
If a packet with any of the previous IP options is received, Junos OS flags this as a network reconnaissance attack and records the event for the ingress interface.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
