[Dshield] ICMP Redirect?

Johannes Ullrich jullrich at euclidian.com
Thu Jun 12 11:20:35 GMT 2003


ICMP redirect messages are almost always suspect. If used legitimately,
ICMP redirects are used by a router to advice a host of a change in
network topology. It just tells your host "don't send this to me,
instead use this different router".

However, while ICMP redirects are nice as a poor mans routing protocol,
they are not exactly safe. They are in no way authenticated. ICMP
redirects can be spoofed and used for 'man in the middle ' attacks.
These attacks allow a third party to listen in on your traffic (and in
some cases modify it) by routing all your traffic through the attackers
system.

So what should you do? First, check if 68.4.139.192 is a host on your
network (or your ISPs network). The code of 0 indicates that the message
is advising you to route all traffic for a specific network to a
different host. If you can look at the entire packet and see if it makes
sense. tcpdump or ethereal should decode them for you. The packet should
include the original packet (header+first couple bytes of data), so you
can make sure it looks 'valid'. 

Or, if things work well, just keep blocking them. If you are not able to
reach certain hosts however, try to allow these messages in and see if
this fixes the problem for you.

(note: A "router" can be another host or a gateway) 

On Thu, 2003-06-12 at 01:28, David Vincent wrote:
> can anyone tell me why I would be receiving these in my firewall logs?
> 
> three in a row.  first one, then another three seconds later, then another
> six seconds later...
> 
> Time: 06/11/2003, 22:00:30
> Message: ICMP Redirect
> Source: 68.4.139.192
> Destination:xxx.xxx.xxx.xxx, Type:5, Code:0 (from WAN Inbound)
> 
> that's about all the detail it provides, a little skimpy to say the least.
> could this be a side-effect of p2p?
> 
> that's all that I can see which would be generating any sort of traffic i
> could consider a load (and even that's throttled to 10k/s, a pittance!).
> tho I do have http, smtp, pop3, and a few remote control tools operating on
> different ports.  there's nothing resembling this ip in the logs.
> 
> thanks.
> 
> -d
> 
> (ooo!  the dirty cross-poster)
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list