IP-Source Routing Enabled - Vulnerability

Question

Hey guys... Are we vulnerable at all to this?&nbsp;
https://www.rapid7.com/db/vulnerabilities/generic-ip-source-routing-enabled&nbsp;
IP Source Routing Enabled
Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.
Trying to figure if that is in our fastL4 profiles in terms of making sure that someone cannot broadcast a pre-defined route through any Layer 3 policy, like ip-forwarding.&nbsp;

chris_grant · Answer

https://support.f5.com/csp/article/K10191&nbsp;
The BigIP will drop any packet that arrives with IP Options unless you have explicitly enabled them:&nbsp;
The IP drop counter increments when a packet contains an IP option. If the TM.AcceptIPOptions BigDB key is set to enable, the system accept IPv4 packets with IP options.&nbsp;
So unless you explicitly tell the BigIP otherwise it will not accept packets that use Source Routing.  Fastl4 does not change this.&nbsp;

Forum Discussion

IP-Source Routing Enabled - Vulnerability

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Source IP Based Pool Routing

Solving for true-source IP with global load balancers in Google Cloud

BIG-IP Next: iRules pool routing

Mitigating Apache Camel Vulnerability CVE-2025–27636 with F5 Products

Block destination IP by source IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS