[Intrusions] ICMP_REDIRECT

Kirk Ismay captain at netidea.com
Mon Apr 25 21:08:39 GMT 2005 

Hello,

I've got about half a dozen SMC barricade routers (SMC7004VBR & 
SMC7004VWBR) on my ADSL network which are constantly sending ICMP 
Redirects to its default gateway.  It looks like its in response to a 
NetBios broadcast of some sort. Is this benign or a threat?

One has sent about 14,000 in the last 12 hours. Here's a snort log:

[**] ICMP redirect host [**]
04/24-10:05:22.117597 10.10.0.22 -> 208.181.15.173
ICMP TTL:64 TOS:0x0 ID:2342 IpLen:20 DgmLen:56
Type:5  Code:1  REDIRECT HOST NEW GW: 10.10.0.1
** ORIGINAL DATAGRAM DUMP:
208.181.15.173:0 -> 208.181.15.255:0
UDP TTL:127 TOS:0x0 ID:30447 IpLen:20 DgmLen:78
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ICMP redirect host [**]
04/24-10:05:22.117656 10.10.0.22 -> 208.181.15.173
ICMP TTL:63 TOS:0x0 ID:2342 IpLen:20 DgmLen:56
Type:5  Code:1  REDIRECT HOST NEW GW: 10.10.0.1
** ORIGINAL DATAGRAM DUMP:
208.181.15.173:0 -> 208.181.15.255:0
UDP TTL:127 TOS:0x0 ID:30447 IpLen:20 DgmLen:78
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ICMP redirect host [**]
04/24-10:05:22.834037 10.10.0.22 -> 208.181.14.109
ICMP TTL:64 TOS:0x0 ID:2344 IpLen:20 DgmLen:56
Type:5  Code:1  REDIRECT HOST NEW GW: 10.10.0.1
** ORIGINAL DATAGRAM DUMP:
208.181.14.109:0 -> 208.181.15.255:0
UDP TTL:127 TOS:0x0 ID:1268 IpLen:20 DgmLen:202
** END OF DUMP

And tcpdump:

13:39:24.741213 10.10.0.22 > 208.181.14.12: icmp: redirect 
208.181.15.255 to host 10.10.0.1 (ttl 64, id 60540)
   0000: 4500 0038 ec7c 0000 4001 a567 0a0a 0016  E..8ì|.. at .¥g....
   0010: d0b5 0e0c 0501 f7e7 0a0a 0001 4500 00f0  е....÷ç....E..ð
   0020: 1412 0000 7f11 6775 d0b5 0e0c d0b5 0fff  ......guе..е.ÿ
   0030: 008a 008a 00dc f71b                      .....Ü÷.

13:39:24.741278 10.10.0.22 > 208.181.14.12: icmp: redirect 
208.181.15.255 to host 10.10.0.1 (ttl 63, id 60540)
   0000: 4500 0038 ec7c 0000 3f01 a667 0a0a 0016  E..8ì|..?.¦g....
   0010: d0b5 0e0c 0501 f7e7 0a0a 0001 4500 00f0  е....÷ç....E..ð
   0020: 1412 0000 7f11 6775 d0b5 0e0c d0b5 0fff  ......guе..е.ÿ
   0030: 008a 008a 00dc f71b                      .....Ü÷.


-- 
Sincerely,
Kirk Ismay, GCFW
System Administrator

Net Idea
101-625 Front Street Nelson, BC V1L 4B6
P:250-352-3512 | F:250-352-9780 | TF:888-246-4222

10 Years of Service Excellence!

Visit us online at:
www.netidea.com | www.netidea.biz

More information about the Intrusions mailing list