Re: ICMP Redirect Help

[Rob Riskin <rriskin () gmail com>]

Thanks for getting back to me!

I actually just ran wireshark on the same vlan that the snort sensor
was picking this up from and I believe the packets labeled incorrect?
Is that possible?

I filtered a bunch of different ways and found no traces of the
rutgers IP addresses even when the snort sensor was reporting them
through BASE in the original IP packet source.

I filtered via ICMP protocol and found one anomaly which I knew about
prior to these other alerts.  I also was filtering by the traffic from
router to the servers and found no trace of the reported alerts at the
same time, so I think it is safe to say that they are false alerts or
incorrect? Because the ones that i did discover the original IP source
was incorrect. . .

Any other tips or am I chasing dust bunnies?

-Rob

On Tue, Apr 27, 2010 at 4:09 PM, Anderson Carvalho (Netplan)
<anderson () netplan com br> wrote:
> Rob,
>
> Maybe you could look at your internal network to find someone with a IP
> spoofing tool or look if has connections at the inbound traffic of the
> Internet to your network.
>
>
>
>
> Atenciosamente
> Anderson Carvalho
> Consultor de Projetos
>
> Netplan Informática
> anderson () netplan com br
> Site: www.netplan.com.br
> 47 3801 3005
>
> -----Mensagem original-----
> De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
> nome de Rob Riskin
> Enviada em: terça-feira, 27 de abril de 2010 13:18
> Para: security-basics () securityfocus com
> Assunto: ICMP Redirect Help
>
> Hey everyone,
>
> This is my first time writing to this list so please bear with me.  I
> recently updated my snort sensor to 2.8.6 yesterday and loaded it up
> and started receiving a bunch of ICMP Redirect Host alerts.
>
> The source is one of my layer 3 switches (but it routes as well) and
> the destinations are my two domain controllers (DNS, DHCP), my
> exchange server, and about 18 random workstations.
>
> Deeper in the packet it has an original source of 128.6.x.x block
> address which resolves to staff-108.scc.rutgers.edu or rutgers.edu
> addresses and then the destination is my internal servers. So somehow
> these source addresses are making their way into my network, accessing
> our switch and getting forwarded to certain servers.
>
> I've googled to no end about this and find answers that it is just
> normal "bat" traffic or it could be the winfreeze exploit.
>
> I have firewalls blocking inbound traffic and i'm not sure how to
> determine the cause or reasoning behind these addresses.  Our network
> has no affiliation with rutgers so I have no idea why these addresses
> would be coming in.  The only inbound traffic that our exchange server
> should be receiving is from our spam filtering company and that is
> rule based via the firewall.
>
> Can anyone point me in the right direction on where i should check or
> determine what this traffic even is or how to stop it? I have a laptop
> with wireshark and am ready to sniff but i'm not sure at what point to
> sniff.  If i sniff internally it's just going to be traffic from my
> router not the external address.
>
> Thanks in advanced!
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and how
> your customers can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on your Apache web
> server. Throughout, best practices for set-up are highlighted to help you
> ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
> d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------