[Dshield] ICMP Redirect?

David Vincent david.vincent at mightyoaks.com
Thu Jun 12 17:11:11 GMT 2003


> ICMP redirect messages are almost always suspect. If used 
> legitimately, ICMP redirects are used by a router to advice a 
> host of a change in network topology. It just tells your host 
> "don't send this to me, instead use this different router".

yeah, can't see why I'd be receiving those on a residential cable line.
 
> So what should you do? First, check if 68.4.139.192 is a host 
> on your network (or your ISPs network). The code of 0 
> indicates that the message is advising you to route all 
> traffic for a specific network to a different host. If you 
> can look at the entire packet and see if it makes sense. 
> tcpdump or ethereal should decode them for you. The packet 
> should include the original packet (header+first couple bytes 
> of data), so you can make sure it looks 'valid'. 

been thinking about this.  one of the things I've lost by going to a
hardware firewall from a pc using NAT etc. is the ability to capture packets
on my public-facing IP.  unless someone knows something I don't....
 
> Or, if things work well, just keep blocking them. If you are 
> not able to reach certain hosts however, try to allow these 
> messages in and see if this fixes the problem for you.

my only alternative is to keep blocking I think.  interesting tho!  someone
is looking to re-route my traffic through some MITM...




More information about the list mailing list