This kind of attack is commonly used by hackers. They send large streams of packets with IP options set generating a DoS on the affected and downstream routers. They can also set the source-route option to modify the route path of the packet generating undesired traffic within our network.

The following is the list of options for an IP packet:

IP Options value
 add-ext       Match packets with Address Extension Option (147)
 any-options   Match packets with ANY Option
 com-security  Match packets with Commercial Security Option (134)
 dps           Match packets with Dynamic Packet State Option (151)
 encode        Match packets with Encode Option (15)
 eool          Match packets with End of Options (0)
 ext-ip        Match packets with Extended IP Option (145)
 ext-security  Match packets with Extended Security Option (133)
 finn          Match packets with Experimental Flow Control Option (205)
 imitd         Match packets with IMI Traffic Desriptor Option (144)
 lsr           Match packets with Loose Source Route Option (131)
 mtup          Match packets with MTU Probe Option (11)
 mtur          Match packets with MTU Reply Option (12)
 no-op         Match packets with No Operation Option (1)
 nsapa         Match packets with NSAP Addresses Option (150)
 record-route  Match packets with Record Route Option (7)
 router-alert  Match packets with Router Alert Option (148)
 sdb           Match packets with Selective Directed Broadcast Option (149)
 security      Match packets with Basic Security Option (130)
 ssr           Match packets with Strict Source Routing Option (137)
 stream-id     Match packets with Stream ID Option (136)
 timestamp     Match packets with Time Stamp Option (68)
 traceroute    Match packets with Trace Route Option (82)
 ump           Match packets with Upstream Multicast Packet Option (152)
 visa          Match packets with Experimental Access Control Option (142)
 zsu           Match packets with Experimental Measurement Option (10)

IP options are dangerous on Cisco routers because the IP options fields in the IP header are not processed in the hardware forwarding engine. The forwarding engine forwards this packets to the route processor that is a software processor. The RP can easily become overloaded discarding high priority or routing protocol packets.

How we protect our device?

R2# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)# ip option
R2(config)# ip options drop
% Warning: RSVP and other protocols that use IP Options packets
may not function as expected.

Now we can see if there was packets coming in with some IP options set:

R2(config)# do sh ip traff
 IP statistics:
   Rcvd:  2436 total, 802 local destination
          0 format errors, 0 checksum errors, 0 bad hop count
          0 unknown protocol, 0 not a gateway
          0 security failures, 0 bad options, 0 with options
   Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
          0 timestamp, 0 extended security, 0 record route
          0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
          0 other
   Frags: 406 reassembled, 0 timeouts, 0 couldn't reassemble
          1011 fragmented, 5065 fragments, 0 couldn't fragment
   Bcast: 0 received, 0 sent
   Mcast: 262 received, 413 sent
   Sent:  5639 generated, 286 forwarded
   Drop:  7 encapsulation failed, 0 unresolved, 0 no adjacency
          0 no route, 0 unicast RPF, 0 forced drop
          5 options denied
   Drop:  0 packets with source IP address zero
   Drop:  0 packets with internal loop back IP address
          0 physical broadcast

Another way to protect against IP options it’s to specify within an ACL what option are we going to permit or deny:

R2(config)# ip access-list ext options
R2(config-ext-nacl)# deny ip any any option record-route
R2(config-ext-nacl)#

The list of common IP options we can handle with an ACL it’s the first list on this post.