Re: ICMP Redirect Help

["thompson.julian" <thompson.julian () gmail com>]

But note that the reservation is for 128.0.0.0/16 - A Class B - Which
would be 128.0.0.0 - 128.0.255.255

He's talking about a 128.6.x.x

:)

On Wed, Apr 28, 2010 at 7:09 AM, Anderson Carvalho (Netplan)
<anderson () netplan com br> wrote:
> I think Mark is correct. ICMP redirects work just like Mark mentioned. Note
> that on RFC 3330, the IP range 128.0.0.0 is a reserved number.
>
> http://tools.ietf.org/html/rfc3330
>
>
>
>
>
> Atenciosamente
> Anderson Carvalho
> Consultor de Projetos
>
> Netplan Informática
> anderson () netplan com br
> Site: www.netplan.com.br
> 47 3801 3005
>
> -----Mensagem original-----
> De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
> nome de Mark
> Enviada em: terça-feira, 27 de abril de 2010 18:05
> Para: Mark
> Cc: Rob Riskin; security-basics () securityfocus com
> Assunto: Re: ICMP Redirect Help
>
> To be more clear, sounds to me like your hosts are attempting the
> connections, the ICMP redirects you are seeing are your router (L3
> switch in your example) saying "go here instead", which should add a
> route of this other router in your host's routing table (if it's
> windows, not sure about others).
>
>
>
> Mark wrote:
> > Here is an example of what an ICMP redirect is:
> >
> > If a machine's default gateway knows of a route that is on the same
> > network you sourced from, it will ICMP redirect the workstation there
> > instead of being a 1-armed router, it sends an ICMP packet to the
> > source effectively placing a route in the source's route table for
> > that other path, circumventing the default gateway from that point
> > forward when talking to that distant target.
> >
> > Look at the route table on one of the hosts that got redirected,
> > you'll see (in windows for example "route print") that the ICMP
> > redirect has added a route to the target that's not the default gateway.
> >
> > Your default gateway is aware of a better path for this traffic and is
> > attempting to redirect hosts that way.
> >
> >
> >
> > Rob Riskin wrote:
> > > Hey everyone,
> > >
> > > This is my first time writing to this list so please bear with me.  I
> > > recently updated my snort sensor to 2.8.6 yesterday and loaded it up
> > > and started receiving a bunch of ICMP Redirect Host alerts.
> > >
> > > The source is one of my layer 3 switches (but it routes as well) and
> > > the destinations are my two domain controllers (DNS, DHCP), my
> > > exchange server, and about 18 random workstations.
> > >
> > > Deeper in the packet it has an original source of 128.6.x.x block
> > > address which resolves to staff-108.scc.rutgers.edu or rutgers.edu
> > > addresses and then the destination is my internal servers. So somehow
> > > these source addresses are making their way into my network, accessing
> > > our switch and getting forwarded to certain servers.
> > >
> > > I've googled to no end about this and find answers that it is just
> > > normal "bat" traffic or it could be the winfreeze exploit.
> > >
> > > I have firewalls blocking inbound traffic and i'm not sure how to
> > > determine the cause or reasoning behind these addresses.  Our network
> > > has no affiliation with rutgers so I have no idea why these addresses
> > > would be coming in.  The only inbound traffic that our exchange server
> > > should be receiving is from our spam filtering company and that is
> > > rule based via the firewall.
> > >
> > > Can anyone point me in the right direction on where i should check or
> > > determine what this traffic even is or how to stop it? I have a laptop
> > > with wireshark and am ready to sniff but i'm not sure at what point to
> > > sniff.  If i sniff internally it's just going to be traffic from my
> > > router not the external address.
> > >
> > > Thanks in advanced!
> > >
> > > ------------------------------------------------------------------------
> > > Securing Apache Web Server with thawte Digital Certificate
> > > In this guide we examine the importance of Apache-SSL and who needs
> > > an SSL certificate.  We look at how SSL works, how it benefits your
> > > company and how your customers can tell if a site is secure. You will
> > > find out how to test, purchase, install and use a thawte Digital
> > > Certificate on your Apache web server. Throughout, best practices for
> > > set-up are highlighted to help you ensure efficient ongoing
> > > management of your encryption keys and digital certificates.
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
> d1
> > > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and how
> your customers can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on your Apache web
> server. Throughout, best practices for set-up are highlighted to help you
> ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
> d1
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------