Home page logo
/

basics logo Security Basics mailing list archives

Re: ICMP Redirect Help
From: Rob Riskin <rriskin () gmail com>
Date: Tue, 27 Apr 2010 16:16:48 -0400

Thanks for getting back to me!

I actually just ran wireshark on the same vlan that the snort sensor
was picking this up from and I believe the packets labeled incorrect?
Is that possible?

I filtered a bunch of different ways and found no traces of the
rutgers IP addresses even when the snort sensor was reporting them
through BASE in the original IP packet source.

I filtered via ICMP protocol and found one anomaly which I knew about
prior to these other alerts.  I also was filtering by the traffic from
router to the servers and found no trace of the reported alerts at the
same time, so I think it is safe to say that they are false alerts or
incorrect? Because the ones that i did discover the original IP source
was incorrect. . .

Any other tips or am I chasing dust bunnies?

-Rob

On Tue, Apr 27, 2010 at 4:09 PM, Anderson Carvalho (Netplan)
<anderson () netplan com br> wrote:
Rob,

Maybe you could look at your internal network to find someone with a IP
spoofing tool or look if has connections at the inbound traffic of the
Internet to your network.




Atenciosamente
Anderson Carvalho
Consultor de Projetos

Netplan Informática
anderson () netplan com br
Site: www.netplan.com.br
47 3801 3005

-----Mensagem original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
nome de Rob Riskin
Enviada em: terça-feira, 27 de abril de 2010 13:18
Para: security-basics () securityfocus com
Assunto: ICMP Redirect Help

Hey everyone,

This is my first time writing to this list so please bear with me.  I
recently updated my snort sensor to 2.8.6 yesterday and loaded it up
and started receiving a bunch of ICMP Redirect Host alerts.

The source is one of my layer 3 switches (but it routes as well) and
the destinations are my two domain controllers (DNS, DHCP), my
exchange server, and about 18 random workstations.

Deeper in the packet it has an original source of 128.6.x.x block
address which resolves to staff-108.scc.rutgers.edu or rutgers.edu
addresses and then the destination is my internal servers. So somehow
these source addresses are making their way into my network, accessing
our switch and getting forwarded to certain servers.

I've googled to no end about this and find answers that it is just
normal "bat" traffic or it could be the winfreeze exploit.

I have firewalls blocking inbound traffic and i'm not sure how to
determine the cause or reasoning behind these addresses.  Our network
has no affiliation with rutgers so I have no idea why these addresses
would be coming in.  The only inbound traffic that our exchange server
should be receiving is from our spam filtering company and that is
rule based via the firewall.

Can anyone point me in the right direction on where i should check or
determine what this traffic even is or how to stop it? I have a laptop
with wireshark and am ready to sniff but i'm not sure at what point to
sniff.  If i sniff internally it's just going to be traffic from my
router not the external address.

Thanks in advanced!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]