Rule:

--
Sid:
475

--
Summary:
This event is generated when a network host generates an ICMP datagram with Record Route IP options.

--
Impact:
Packets containing IP Record Route options are used to emulate the functionality of traceroute. 

--
Detailed Information:
The Record Route IP option is used to store routing information about the path a datagram takes to its destination.  ICMP ECHO packets with an IP header utilizing the Record Route option are used to emulate the functionality of traceroute.

--
Attack Scenarios:
A remote attacker may attempt to use the Record Route IP option to determine routing information if traceroute fails.

--
Ease of Attack:
Numerous tools and scripts can generate this type of datagram.

--
False Positives:
Network diagnostic tools may generate these types of datagrams.

--
False Negatives:
None known

--
Corrective Action:
Use ingress filtering to block incoming datagrams with the IP Record Route option.

--
Contributors:
Original rule writer unknown
Sourcefire Vulnerability Research Team
Matthew Watchinski (matt.watchinski@sourcefire.com)

--
Additional References:

--
