nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Redirects from residential customer subnets?

From: Ray Soucy <rps () maine edu>
Date: Wed, 9 May 2012 13:10:10 -0400
This is expected and will happen if the consumer router receives traffic
not destined for it for most consumer devices.

In the Ethernet world, it's usually the result of an active MAC falling out
of the table (e.g. disconnected) before the ARP entry on the router
expires.  The default behavior is to flood the unknown packet out every
port.  On a Cisco switch you would be looking at using something like UUFB
(unknown unicast flood blocking).

You might want to keep an eye on resource usage on your routers if you're
seeing this problem. Without UUFB there is a considerable uptick in ARP and
ICMP traffic caused by this behavior, usually driving up CPU.




On Wed, May 9, 2012 at 10:19 AM, ML <ml () kenweb org> wrote:


Last night I was troubleshooting a strange issue where Apple products (So
far just MacOS and Airports) were losing internet connectivity sporadically.

Originally I thought it was an IPv6 transition technology causing the
problem but the customer couldn't even ping their default GW via v4.

To rule out the customer mistyping/giving us wrong information on what
they were seeing  I attempted to verify IP connectivity from my DHCP server
to them.  I pinged the IP they had retrieved via DHCP earlier.

What I got back were ICMP redirects interspersed with echo replies from
the customer I was pinging.  The redirects were of the form:

"Redirect Host(New nexthop: x.y.z.23)" The nexthop being an IP of the
customer I was troubleshooting.  Thinking that was very odd I setup an ACL
on the vlan serving that subnet to log ICMP redirects.  What I found was
one IP x.y.z.56 sending redirects to IPs on my network as well as several
IPs outside my network.  As far as I know there is no legitimate reason for
a residential PC or home gateway to send ICMP redirects. There were also a
few dozen other IPs on that subnet sending ICMP redirects.  A majority of
them had 68:7f:74 (Cisco-Linksys) OUIs.  There were also some Belkins and
one ASUStek OUIs.

The 68:7f:74 source MACs were dispersed amongst many customers not all
from the same customer.  Which leads me to believe there is either a bugged
Linksys firmware or an exploited Linksys home gateway causing trouble.

Has anyone ever seen something like this before?

Is there any reason to see ICMP redirects on a single homed residential
subnet? I'm considering adding ICMP redirects to my customer edge ACL
unless there is a legitimate purpose for these packets.


Thanks
-ML









-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/
Previous By Date Next
Previous By Thread Next

Current thread: