Security Basics mailing list archives
Re: ICMP Redirect Help
From: Mark <markc () uniontown com>
Date: Tue, 27 Apr 2010 17:04:38 -0400
To be more clear, sounds to me like your hosts are attempting the connections, the ICMP redirects you are seeing are your router (L3 switch in your example) saying "go here instead", which should add a route of this other router in your host's routing table (if it's windows, not sure about others).
Mark wrote:
Here is an example of what an ICMP redirect is:If a machine's default gateway knows of a route that is on the same network you sourced from, it will ICMP redirect the workstation there instead of being a 1-armed router, it sends an ICMP packet to the source effectively placing a route in the source's route table for that other path, circumventing the default gateway from that point forward when talking to that distant target.Look at the route table on one of the hosts that got redirected, you'll see (in windows for example "route print") that the ICMP redirect has added a route to the target that's not the default gateway.Your default gateway is aware of a better path for this traffic and is attempting to redirect hosts that way.Rob Riskin wrote:Hey everyone, This is my first time writing to this list so please bear with me. I recently updated my snort sensor to 2.8.6 yesterday and loaded it up and started receiving a bunch of ICMP Redirect Host alerts. The source is one of my layer 3 switches (but it routes as well) and the destinations are my two domain controllers (DNS, DHCP), my exchange server, and about 18 random workstations. Deeper in the packet it has an original source of 128.6.x.x block address which resolves to staff-108.scc.rutgers.edu or rutgers.edu addresses and then the destination is my internal servers. So somehow these source addresses are making their way into my network, accessing our switch and getting forwarded to certain servers. I've googled to no end about this and find answers that it is just normal "bat" traffic or it could be the winfreeze exploit. I have firewalls blocking inbound traffic and i'm not sure how to determine the cause or reasoning behind these addresses. Our network has no affiliation with rutgers so I have no idea why these addresses would be coming in. The only inbound traffic that our exchange server should be receiving is from our spam filtering company and that is rule based via the firewall. Can anyone point me in the right direction on where i should check or determine what this traffic even is or how to stop it? I have a laptop with wireshark and am ready to sniff but i'm not sure at what point to sniff. If i sniff internally it's just going to be traffic from my router not the external address. Thanks in advanced! ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital CertificateIn this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- ICMP Redirect Help Rob Riskin (Apr 27)
- Message not available
- Re: ICMP Redirect Help Rob Riskin (Apr 27)
- Message not available
- Re: ICMP Redirect Help Mark (Apr 27)
- Re: ICMP Redirect Help Mark (Apr 27)
- RES: ICMP Redirect Help Anderson Carvalho (Netplan) (Apr 30)
- Re: ICMP Redirect Help Mark (Apr 27)