Home page logo
/

basics logo Security Basics mailing list archives

ICMP Redirect Help
From: Rob Riskin <rriskin () gmail com>
Date: Tue, 27 Apr 2010 12:18:22 -0400

Hey everyone,

This is my first time writing to this list so please bear with me.  I
recently updated my snort sensor to 2.8.6 yesterday and loaded it up
and started receiving a bunch of ICMP Redirect Host alerts.

The source is one of my layer 3 switches (but it routes as well) and
the destinations are my two domain controllers (DNS, DHCP), my
exchange server, and about 18 random workstations.

Deeper in the packet it has an original source of 128.6.x.x block
address which resolves to staff-108.scc.rutgers.edu or rutgers.edu
addresses and then the destination is my internal servers. So somehow
these source addresses are making their way into my network, accessing
our switch and getting forwarded to certain servers.

I've googled to no end about this and find answers that it is just
normal "bat" traffic or it could be the winfreeze exploit.

I have firewalls blocking inbound traffic and i'm not sure how to
determine the cause or reasoning behind these addresses.  Our network
has no affiliation with rutgers so I have no idea why these addresses
would be coming in.  The only inbound traffic that our exchange server
should be receiving is from our spam filtering company and that is
rule based via the firewall.

Can anyone point me in the right direction on where i should check or
determine what this traffic even is or how to stop it? I have a laptop
with wireshark and am ready to sniff but i'm not sure at what point to
sniff.  If i sniff internally it's just going to be traffic from my
router not the external address.

Thanks in advanced!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]