Por que o “ping -j” não funciona?

Por que o ping -j não funciona?

Loose Source Routing, especificado usando ping -j , tracert -j ou pathping -g , pode ser usado para especificar um sistema pelo qual os pacotes devem passar antes de prosseguir para o destino.

No entanto, o roteamento de origem tem um grande potencial de abuso (veja adiante) e, portanto, a maioria dos administradores de rede bloqueia todos os pacotes roteados por origem em seus roteadores de borda .

Então, na prática, as Loose Source Routes não vão funcionar.

Isso é lamentável, pois a capacidade de ver uma Rota Reversa (que pode ser feita usando o Roteamento de Origem) seria muito útil ao usar tracert e pathping para diagnosticar problemas de rede.

• Rotas normais e inversas podem ser (e geralmente são) completamente diferentes ("assimétricas").
• Se forem diferentes, um problema na conexão pode ser um problema com a rota para o destino ou com a rota de volta do destino.
• Um problema refletido em uma saída do Traceroute pode, na verdade, não estar no sistema óbvio no rastreio; pode ser que haja algum outro sistema na rota inversa do sistema que parece, do rastreamento, ser a causa do problema.

O caminho inverso em si é completamente invisível na saída normal do Traceroute.

Há um artigo interessante em Os perigos do roteamento de origem explicando os riscos quando a fonte está perdida O roteamento está ativado.

O que é roteamento de origem?

Source Routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network.

Remember that as a packet travels through the network, each router will examine the "destination IP address" and choose the next hop to forward the packet to. In source routing, the "source" (i.e. the sender) makes some or all of these decisions

In strict source routing, the sender specifies the exact route the packet must take. This is virtually never used.

The more common form is loose source record route (LSRR), in which the sender gives one or more hops that the packet must go through

LSRR can be used in a number of ways for hacking purposes. Sometimes machines will be on the Internet, but will not be reachable. (It may be using a private address like 10.0.0.1). However, there may be some other machine that is reachable to both sides that forwards packets. Someone can then reach that private machine from the Internet by source routing through that intermediate machine.

Fonte Roteamento de origem

O roteamento de origem deve ser desativado?

Cisco routers normally accept and process source routes. Unless a network depends on it, source routing should be disabled.

Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.

Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.

Fonte O roteamento de origem de IP está habilitado para o roteador (CiscoIpsourceRoutingEnabled)

O que é uma rota inversa?

Any connection over the Internet actually depends on two routes: the route from your system to the server, and the route from that server back to your system. These routes may be (and often are) completely different (asymmetric). If they differ, a problem in your connection could be a problem with either the route to the server, or with the route back from the server. A problem reflected in a traceroute output may actually not lie with the obvious system in your trace; it may rather be with some other system on the reverse route back from the system that looks, from the trace, to be the cause of the problem.

So a traceroute from you to the server is only showing you half of the picture. The other half is the return route or reverse route. So how can you see that route?

In the good old days, you could use source routing with traceroute to see the reverse trace back to you from a host. The idea is to specify what is called a loose source route, which specifies a system your packets should pass through before proceeding on to their destination.

The ability to use loose source routing to see the reverse route could be pretty handy. Unfortunately, source routing has a great potential for abuse, and therefore most network administrators block all source-routed packets at their border routers. So, in practice, loose source routes aren't going to work.

These days, the only hope you likely have of running a reverse traceroute is if the system you want to trace from has a traceroute facility on their web site. Many systems, and Usenet providers in particular, have a web page where you can run a traceroute from their system back to yours. In combination with your trace to their system, this can give you the other half of the picture. I have a list of Usenet provider traceroute pages here.

Fonte Usando o Tracert

Atualmente, as rotas de origem de IP são ignoradas praticamente em todos os lugares, devido a vários problemas de segurança que elas introduzem. Embora não seja uma boa ideia confiar no roteamento IP para segurança, o roteamento de origem ainda torna desnecessariamente fácil ignorar os firewalls, bem como falsifique seu endereço IP , sem ter praticamente nenhum bom uso.

Em outras palavras, seus pacotes com uma rota de origem são descartados por políticas de segurança. Então você não receberá uma resposta, mesmo que você especifique a mesma rota que normalmente tomaria.

Em roteadores baseados em Linux, você ainda pode habilitar isso definindo um sysctl:

sysctl -w net.ipv4.conf.<interface>.accept_source_route=1

O FreeBSD (pfSense) tem sysctls net.inet.ip.sourceroute e net.inet.ip.accept_sourceroute .