Profile Applicability:
 • Level 1

Description:
 Source routed packets allow the sender to specify the route a packet should take through the network. Accepting these packets can be exploited by attackers to bypass security controls and intercept or manipulate traffic. Disabling acceptance enhances network security.

Rationale:
 Rejecting source routed packets prevents attackers from influencing network routing paths and reduces the risk of man-in-the-middle and traffic interception attacks.

Impact:
 Pros:

  • Protects against routing-based network attacks.

  • Enhances integrity and security of network traffic.

Cons:

  • May affect legitimate network traffic in some complex routing scenarios.

Default Value:
 Many systems accept source routed packets by default unless configured otherwise.

Pre-requisites:

  • Root or sudo privileges to modify system network settings.

Remediation:

Test Plan:

Using Linux command line:

1. Check current settings for source routed packet acceptance:

sysctl net.ipv4.conf.all.accept_source_route  
sysctl net.ipv4.conf.default.accept_source_route

2. Confirm both values are set to 0 (disabled).

Implementation Plan:

Using Linux command line:

1. Disable acceptance of source routed packets temporarily:

sysctl -w net.ipv4.conf.all.accept_source_route=0  
sysctl -w net.ipv4.conf.default.accept_source_route=0

2. Persist the settings by adding to /etc/sysctl.conf or a file in /etc/sysctl.d/:

net.ipv4.conf.all.accept_source_route = 0  
net.ipv4.conf.default.accept_source_route = 0

Backout Plan:

Using Linux command line:

1. Re-enable acceptance of source routed packets if necessary:

sysctl -w net.ipv4.conf.all.accept_source_route=1  
sysctl -w net.ipv4.conf.default.accept_source_route=1

2. Update configuration files accordingly and reload sysctl.

References: