: I have been getting this message a lot. What does this mean?
: kernel: ICMP: 158.155.0.1: Source Route Failed.
Literally, it means that you send packet with "IP source
and record route option" (note that it is NOTHING TO DO with
token ring source route!!!), it was routed via router 158.155.0.1
and was rejected by it.
If you really did not send such packets, it means that
someone tries to use source route capability to masquerade as you.
Example:
I am cracker and my host is "cracker"
"host-to-pretend" is a host that possess a privileges, that I want to steal.
(f.e. it is in /etc/exports at "host-to-fake")
"host-to-fake" is a server (f.e. NFS server)
I construct a packet (f.e. mount request)
with source address "host-to-pretend", with destination
"cracker"(my address!) and with source route IP option
of one address "host-to-fake". Then I send it.
If server "host-to-fake" does not filter out source routed
packets (it is correct for almost all hosts),
it will decide that this request was issued by "host-to-pretend", construct
mount reply and send it back by reversed source route (for TCP) or directly
to "host-to-pretend" (for UDP)
Really, rlogind,rshd and other servers that do authentication
only on the base of source address just drop frames with IP options.
telnetd does not drop them (because it authenticates you by password), so that
you may to do such funny thing (provided you recompiled telnet since
IP options were implemented in linux and did not set CONFIG_IP_NOSR):
telnet @host1@host2
We will really logged in to host2, but all the data will flow via host1.
It may be very useful if you want to override conventional routing rules.
Really, it is not very dangerous, but if your hosts are misconfigured,
it gives an additional possibility for crackers.
In any case, you should catch these ICMP packets by tcpdump
and analyze them. If you cannot make it, find a person who
understand IP packets layout (f.e. me)
Alexey Kuznetsov.