Home page logo
/

basics logo Security Basics mailing list archives

RES: ICMP Redirect Help
From: "Anderson Carvalho (Netplan)" <anderson () netplan com br>
Date: Wed, 28 Apr 2010 08:09:01 -0300

I think Mark is correct. ICMP redirects work just like Mark mentioned. Note
that on RFC 3330, the IP range 128.0.0.0 is a reserved number.

http://tools.ietf.org/html/rfc3330





Atenciosamente
Anderson Carvalho 
Consultor de Projetos

Netplan Informática
anderson () netplan com br
Site: www.netplan.com.br
47 3801 3005

-----Mensagem original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
nome de Mark
Enviada em: terça-feira, 27 de abril de 2010 18:05
Para: Mark
Cc: Rob Riskin; security-basics () securityfocus com
Assunto: Re: ICMP Redirect Help

To be more clear, sounds to me like your hosts are attempting the 
connections, the ICMP redirects you are seeing are your router (L3 
switch in your example) saying "go here instead", which should add a 
route of this other router in your host's routing table (if it's 
windows, not sure about others).



Mark wrote:
Here is an example of what an ICMP redirect is:

If a machine's default gateway knows of a route that is on the same 
network you sourced from, it will ICMP redirect the workstation there 
instead of being a 1-armed router, it sends an ICMP packet to the 
source effectively placing a route in the source's route table for 
that other path, circumventing the default gateway from that point 
forward when talking to that distant target.

Look at the route table on one of the hosts that got redirected, 
you'll see (in windows for example "route print") that the ICMP 
redirect has added a route to the target that's not the default gateway.

Your default gateway is aware of a better path for this traffic and is 
attempting to redirect hosts that way.



Rob Riskin wrote:
Hey everyone,

This is my first time writing to this list so please bear with me.  I
recently updated my snort sensor to 2.8.6 yesterday and loaded it up
and started receiving a bunch of ICMP Redirect Host alerts.

The source is one of my layer 3 switches (but it routes as well) and
the destinations are my two domain controllers (DNS, DHCP), my
exchange server, and about 18 random workstations.

Deeper in the packet it has an original source of 128.6.x.x block
address which resolves to staff-108.scc.rutgers.edu or rutgers.edu
addresses and then the destination is my internal servers. So somehow
these source addresses are making their way into my network, accessing
our switch and getting forwarded to certain servers.

I've googled to no end about this and find answers that it is just
normal "bat" traffic or it could be the winfreeze exploit.

I have firewalls blocking inbound traffic and i'm not sure how to
determine the cause or reasoning behind these addresses.  Our network
has no affiliation with rutgers so I have no idea why these addresses
would be coming in.  The only inbound traffic that our exchange server
should be receiving is from our spam filtering company and that is
rule based via the firewall.

Can anyone point me in the right direction on where i should check or
determine what this traffic even is or how to stop it? I have a laptop
with wireshark and am ready to sniff but i'm not sure at what point to
sniff.  If i sniff internally it's just going to be traffic from my
router not the external address.

Thanks in advanced!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs 
an SSL certificate.  We look at how SSL works, how it benefits your 
company and how your customers can tell if a site is secure. You will 
find out how to test, purchase, install and use a thawte Digital 
Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1 

------------------------------------------------------------------------


  


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault