[Intrusions] ICMP_REDIRECT

Smith, Donald Donald.Smith at qwest.com
Wed Apr 27 14:11:34 GMT 2005 

Redirects to the entire subnet to a new gateway.
It sounds evil to me.
Got packets? 30 or 40 would be nice. Maybe 20 from one machine and 20 from another?

You may also want to look at this site as it addresses a barricade issue.
http://www.topsight.net/article.php/20040422081807297

Coupled with this vulnerability your routers might be compromised:(
http://www.sightspeed.com/support.php?page=firewall&firewall=firewall-smc
The default is a blank/empty password. 
Important Note: Different versions of the SMC routers default to different passwords. The default password may also be 1234, 12345, admin, or password. 

donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Kirk Ismay
> Sent: Monday, April 25, 2005 3:09 PM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] ICMP_REDIRECT 
> 
> 
> 
> Hello,
> 
> I've got about half a dozen SMC barricade routers (SMC7004VBR & 
> SMC7004VWBR) on my ADSL network which are constantly sending ICMP 
> Redirects to its default gateway.  It looks like its in response to a 
> NetBios broadcast of some sort. Is this benign or a threat?
> 
> One has sent about 14,000 in the last 12 hours. Here's a snort log:
> 
> [**] ICMP redirect host [**]
> 04/24-10:05:22.117597 10.10.0.22 -> 208.181.15.173
> ICMP TTL:64 TOS:0x0 ID:2342 IpLen:20 DgmLen:56
> Type:5  Code:1  REDIRECT HOST NEW GW: 10.10.0.1
> ** ORIGINAL DATAGRAM DUMP:
> 208.181.15.173:0 -> 208.181.15.255:0
> UDP TTL:127 TOS:0x0 ID:30447 IpLen:20 DgmLen:78
> ** END OF DUMP 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
> 
> [**] ICMP redirect host [**]
> 04/24-10:05:22.117656 10.10.0.22 -> 208.181.15.173
> ICMP TTL:63 TOS:0x0 ID:2342 IpLen:20 DgmLen:56
> Type:5  Code:1  REDIRECT HOST NEW GW: 10.10.0.1
> ** ORIGINAL DATAGRAM DUMP:
> 208.181.15.173:0 -> 208.181.15.255:0
> UDP TTL:127 TOS:0x0 ID:30447 IpLen:20 DgmLen:78
> ** END OF DUMP 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
> 
> [**] ICMP redirect host [**]
> 04/24-10:05:22.834037 10.10.0.22 -> 208.181.14.109
> ICMP TTL:64 TOS:0x0 ID:2344 IpLen:20 DgmLen:56
> Type:5  Code:1  REDIRECT HOST NEW GW: 10.10.0.1
> ** ORIGINAL DATAGRAM DUMP:
> 208.181.14.109:0 -> 208.181.15.255:0
> UDP TTL:127 TOS:0x0 ID:1268 IpLen:20 DgmLen:202
> ** END OF DUMP
> 
> And tcpdump:
> 
> 13:39:24.741213 10.10.0.22 > 208.181.14.12: icmp: redirect 
> 208.181.15.255 to host 10.10.0.1 (ttl 64, id 60540)
>    0000: 4500 0038 ec7c 0000 4001 a567 0a0a 0016  E..8ì|.. at .¥g....
>    0010: d0b5 0e0c 0501 f7e7 0a0a 0001 4500 00f0  е....÷ç....E..ð
>    0020: 1412 0000 7f11 6775 d0b5 0e0c d0b5 0fff  ......guе..е.ÿ
>    0030: 008a 008a 00dc f71b                      .....Ü÷.
> 
> 13:39:24.741278 10.10.0.22 > 208.181.14.12: icmp: redirect 
> 208.181.15.255 to host 10.10.0.1 (ttl 63, id 60540)
>    0000: 4500 0038 ec7c 0000 3f01 a667 0a0a 0016  E..8ì|..?.¦g....
>    0010: d0b5 0e0c 0501 f7e7 0a0a 0001 4500 00f0  е....÷ç....E..ð
>    0020: 1412 0000 7f11 6775 d0b5 0e0c d0b5 0fff  ......guе..е.ÿ
>    0030: 008a 008a 00dc f71b                      .....Ü÷.
> 
> 
> -- 
> Sincerely,
> Kirk Ismay, GCFW
> System Administrator
> 
> Net Idea
> 101-625 Front Street Nelson, BC V1L 4B6
> P:250-352-3512 | F:250-352-9780 | TF:888-246-4222
> 
> 10 Years of Service Excellence!
> 
> Visit us online at:
> www.netidea.com | www.netidea.biz 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list