Breaking Unwanted TCP Connections by Modifying Your Route Table
Every TCP/IP client machine, regardless of operating system, needs to make decisions about where to send a packet after it has been addressed. The route table is the network map that tells your computer how to deliver the packet to its network addressee. It is rarely necessary to inspect your route table because most machines have dynamically assigned IP configurations, they're single-homed machines (they have only one network card), and they sit on a network with a single gateway. This is the standard network setup. The route table is automatically generated, and the default configuration is usually the best one to use for that standard setup.
It becomes important to understand how to read and modify your route table only when your network configuration is not standard or if you want to deviate from your standard route. For example, perhaps you have two NICs in your workstation or two gateways on your network. You might want to send some packets through one route and other packets to another route. Perhaps you use the Windows 2000 Internet Connection Sharing tool with a DSL connection in your small company, and you do not want your employees to use AOL Instant Messenger. Perhaps pop-up advertisements from doubleclick.net have become too tiresome. Simple modifications to the default route table can redirect packets intended for those services to a null address.
There is more to know about route tables than what we describe here. This article is intended to provide a quick-and-dirty explanation on route tables so that you can use the information to provide a costless and simple alternative for blocking unwanted traffic to specific IP addresses or subnets. It's not possible to modify the route table in such a way that your users will get disney.com if they enter playboy.com. You'd have to use other tools to achieve that end. It is possible, however, that they can get nothing at all by just making a few simple changes to the route information.
How Can I Read the Route Table?
Before you can learn to modify the route table, let's take a look at a sample default route table for a standard workstation and learn to read the helpful information located in it. In Windows 2000 as well as other operating systems, you can type route print from a command prompt window and receive output that looks like Figure 1.
Figure 1 route print output.
This is the standard route table for a single-homed Windows 2000 Professional workstation with a standard network configuration. The route table was dynamically generated and was not modified directly except by the operating system itself. The IP configuration of this machine is DHCP assigned. Its network settings are shown here:
IP address: 192.168.100.207
Network mask: 255.255.255.0
Default gateway: 192.168.100.1
This information can be obtained by typing ipconfig /all from a command prompt in virtually all Microsoft OS environments for networked workstations using TCP/IP. Each portion of the route table may have useful information for the user. For our purposes, we will divide the route table into three parts. (See the example above.)
- Interface list
- Active routes
- Persistent routes
The interface list displays information about each NIC in the machine and the loopback interface (127.0.0.1), a convention used by the machine to address itself regardless of the NIC configuration when the TCP/IP protocol is installed. The interface list also provides MAC address information and the NIC make and model.
The active routes are the default routes used by the machine to govern where it should send packets. Active routes information falls into five columns:
Network Destination is in the first column. It lists the routes from least specific to most specific. The 0 digit is nonspecific, in that it can represent any number. Therefore, the first route listed, the default route, indicates that any packet with any IP address can be sent to the gateway 192.168.100.1 through the interface 192.168.100.207 using the example above.
Netmask information comes in the second column and provides broadcast information. It defines how closely an address must match the network destination, octet by octet, to use the route. Here, too, the 0 digit is nonspecific. Conversely, 255 is most specific. Therefore, for an address to be able to use the third route in the example above the first three octets of the network destination (192.168.100.0) must match exactly because the netmask (255.255.255.0) allows no variation in the first three octets:
Network Destination Netmask Gateway Interface Metric 192.168.100.0 255.255.255.0 192.168.100.207 192.168.100.207 1
If the netmask were (255.255.0.0), only the first two octets would require an exact match. The last octet can be any number, as indicated by the 0.
Gateway is listed in the third column. It indicates the network gateway for the route. It will always be either the IP address of the NIC, the loopback address (127.0.0.1), or the default gateway in a standard network setup.
Interface indicates the NIC by which to reach the gateway for the route. It will always be either the IP address of the NIC or the loopback address (127.0.0.1).
Metric is simply the number of hops to the destination.
A standard Microsoft OS setup will usually have seven routes in its table. The list occurs from least specific (0.0.0.0) to most specific (255.255.255.255). You will always find these network destinations in the route table.
Occurring only once:
127.0.0.0 Software loopback
255.255.255.255 Limited broadcast address
For each NIC:
0.0.0.0 Default route
188.8.131.52 Multicast address
Three network destinations for each NIC (specific to our example above) are shown here:
192.168.100.0 Defining the resident subnet
192.168.100.207 Defining the IP address of the NIC
192.168.100.255 Defining the broadcast address for the subnet
Although the first three octets are specific for our example, one of the three network destinations must be a 0 and another must be a 255. This defines the subnet of the machine and its scope for broadcasting.
The first NIC requires five routes to work correctly, in addition to two routes necessary by default (127.0.0.0 and 255.255.255.255). Additional NICs may require only four routes, depending on the complexity of your network.
Any modifications that you make to the route table are dynamic. Every time you restart your computer, it rebuilds every route in the table. Therefore, any changes that you might make to the table are lost unless you choose to make them persistent. Persistent routes remain after every reboot unless they are manually deleted. We'll talk more about that in the next section.