[Snort-users] ICMP Redirect Attack

Patrick M. Sharkey psharkey at ...1743...
Fri Apr 6 17:38:24 EDT 2001


At 01:34 PM 4/6/2001 -0700, you wrote:

>How do you read an ICMP redirect alert? I got a bunch of these... but
>looking at the dumps left me sort of confused. ( A not untypical state. :)
>
>[**] IDS135/icmp-redirect_host [**]
>04/05-22:14:29.448113 212.223.69.17 -> 192.86.6.23
>ICMP TTL:244 TOS:0xC0 ID:43421 IpLen:20 DgmLen:179
>Type:5  Code:1  REDIRECT
>D4 DF 45 1A 45 00 00 83 A9 48 00 00 31 06 FF C5  ..E.E....H..1...
>C0 56 06 17 D4 DF 45 1A 00 19 12 DB 21 EE 86 01  .V....E.....!...
>CF 5B 1A ED 50 18 10 00 A5 A3 00 00 32 32 30 20  .[..P.......220
>6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
>2E 63 6F 6D 20 45 53 4D 54 50 20 53 65 6E 64 6D  .com ESMTP Sendm
>61 69 6C 20 38 2E 38 2E 38 2F 38 2E 38 2E 38 3B  ail 8.8.8/8.8.8;
>20 54 68 75 2C 20 35 20 41 70 72 20 32 30 30 31   Thu, 5 Apr 2001
>20 32 32 3A 31 37 3A 35 39 20 2D 30 37 30 30 20   22:17:59 -0700
>28 50 44 54 29 0D 0A 01 51 80 00 01 00 02 A3 00  (PDT)...Q.......
>00 04 CE 0E 01 00 00 00 00 01 00                 ...........
>
>
>192.86.6.23 is metis.microunity.com, a mail server.  The contents
>of this packet looks like something I would expect to be coming
>from metis, not being sent to metis.
>
>There were 13 alerts, the contents were all different, yet most
>looked like something metis would be sending out... but not exactly.
>
>[**] IDS135/icmp-redirect_host [**]
>04/05-16:47:53.006829 212.223.69.17 -> 192.86.6.23
>ICMP TTL:244 TOS:0xC0 ID:55381 IpLen:20 DgmLen:157
>Type:5  Code:1  REDIRECT
>D4 DF 45 1A 45 00 00 6D 0C 5B 00 00 31 06 9C C9  ..E.E..m.[..1...
>C0 56 06 17 D4 DF 45 1A 00 19 05 F1 01 C0 3E 5C  .V....E.......>\
>FD 84 55 85 50 18 10 00 F6 3D 00 00 32 35 30 20  ..U.P....=..250
>6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
>2E 63 6F 6D 20 48 65 6C 6C 6F 20 5B 32 31 32 2E  .com Hello [212.
>32 32 33 2E 36 39 2E 32 36 5D 2C 20 70 6C 65 61  223.69.26], plea
>73 65 64 20 74 6F 20 6D 65 65 74 20 79 6F 75 0D  sed to meet you.
>0A 31 36 3A 01 00 00 00 31 20 2D 30 37 30 30 20  .16:....1 -0700
>28 50 44 54 29                                   (PDT)
>
>If metis was talking to 212.223.69.17, why would it think it was
>talking to 212.223.69.26?
>
>Bob
> ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
>Bob Van Cleef, Member of Technical Staff         (408) 734-8100
>MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
>376 Martin Ave., Santa Clara, CA 95050  vancleef at ...211...

I have been fooled when attempting to decode ICMP packet dumps from snort because it (either pcap or snort) appears to pad with data that is unrelated. In my case, the tcpdump formatted log data is 1500 bytes/packet regardless of how large the "real" packet is.

I suggest that you start from the beginning of the packet dump and reference the IP (RFC 791) header and ICMP (RFC 792) header diagrams. Keep in mind that ICMP messages will quote the IP header and the first 8 bytes of the original datagram.

So figure 20 bytes for the IP header, 8 bytes for the ICMP message, 20-60 bytes for the original message IP header and 8 bytes of data from the original datagram.

I think the SMTP-like data in your packet dumps are padding and not related to the ICMP data at all. However, I am not entirely sure that your data is an ICMP packet though, despite what snort says. I just doesn't look right to me.





       Patrick Sharkey
Senior Member Technical Staff
   Network & Communications
    C.S. Draper Laboratory
      voice 617.258.1222
       fax 617.258.2705
     psharkey at ...1743...





More information about the Snort-users mailing list