[Snort-users] ICMP Redirect Attack

Phil Wood cpw at ...440...
Fri Apr 6 17:59:10 EDT 2001


I took one of your packets and passed it through a script that
breaks out the content of an icmp redirect:

              RFC791: INTERNET PROTOCOL, September 1981  
   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 131            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 43336        | | | | Fragment Offset = 0     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=49     | Protocol = 6  | Header Checksum = 65477       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 192.86.6.23                                 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 212.223.69.26                          |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Port = 25              | Destination Port = 4827       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Sequence Number = 569280001                                   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Acknowledgment Number = 3478854381                            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | OFF=5 | | | | | | | |A|P| | | |  Window = 4096                |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Checksum = 42403              | Urgent Pointer = 0            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                Data
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  :  32323020  6D657469  732E6D69  63726F75    : 220 metis.microu :
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

It shows that some box, 212.223.69.26, made a connection to your
smtp (25) server.  It shows your server sent a perfectly valid response
(beginning with 220 metis.microu ...) back to that box. 
Some other box (17), which appears to be on the route to 26:

  ...
  19  ser0.gbw1.ecore.net (212.63.129.46)  273.805 ms  302.637 ms  259.433 ms
  20  212.223.69.17 (212.223.69.17)  272.953 ms  264.606 ms  287.861 ms
  21  212.223.69.26 (212.223.69.26)  292.220 ms  262.796 ms  260.749 ms

sent your smtp server the redirect.  Normally, redirects work between 
routers on a shared media.  It is a way to say, "hey, I delievered your packet,
but in the future you should send it to xyz which is my buddy on the same
routing net).  However, you did send it to xyz (D4 DF 45 1A == 212.223.69.26)!

So, how about this, the box is/was "promiscuous" for email destined for hosts
on it's backside.  BTW, UDP packets (traceroute) go right through it.  Hmm,
so do packets destined to smtp:

  Trying 212.223.69.26...
  Connected to 212.223.69.26.
  Escape character is '^]'.
  220 mail.news-master.de ESMTP Lyris service ready

I wonder if someone sent me a redirect.  Should of had my ears on.

In a nutshell, it's junk, probably the result of some poor configuration.
Maybe there are others out in snortland that have the rest of the story.

On Fri, Apr 06, 2001 at 01:34:56PM -0700, Bob Van Cleef wrote:
> 
> How do you read an ICMP redirect alert? I got a bunch of these... but
> looking at the dumps left me sort of confused. ( A not untypical state. :)
> 
> [**] IDS135/icmp-redirect_host [**]
> 04/05-22:14:29.448113 212.223.69.17 -> 192.86.6.23
> ICMP TTL:244 TOS:0xC0 ID:43421 IpLen:20 DgmLen:179
> Type:5  Code:1  REDIRECT
> D4 DF 45 1A 45 00 00 83 A9 48 00 00 31 06 FF C5  ..E.E....H..1...
    ^ xyz ^   ^ start of your packet
> C0 56 06 17 D4 DF 45 1A 00 19 12 DB 21 EE 86 01  .V....E.....!...
> CF 5B 1A ED 50 18 10 00 A5 A3 00 00 32 32 30 20  .[..P.......220
> 6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
> 2E 63 6F 6D 20 45 53 4D 54 50 20 53 65 6E 64 6D  .com ESMTP Sendm
> 61 69 6C 20 38 2E 38 2E 38 2F 38 2E 38 2E 38 3B  ail 8.8.8/8.8.8;
> 20 54 68 75 2C 20 35 20 41 70 72 20 32 30 30 31   Thu, 5 Apr 2001
> 20 32 32 3A 31 37 3A 35 39 20 2D 30 37 30 30 20   22:17:59 -0700
> 28 50 44 54 29 0D 0A 01 51 80 00 01 00 02 A3 00  (PDT)...Q.......
> 00 04 CE 0E 01 00 00 00 00 01 00                 ...........
> 
> 
> 192.86.6.23 is metis.microunity.com, a mail server.  The contents
> of this packet looks like something I would expect to be coming
> from metis, not being sent to metis.
> 
> There were 13 alerts, the contents were all different, yet most
> looked like something metis would be sending out... but not exactly.
> 
> [**] IDS135/icmp-redirect_host [**]
> 04/05-16:47:53.006829 212.223.69.17 -> 192.86.6.23
> ICMP TTL:244 TOS:0xC0 ID:55381 IpLen:20 DgmLen:157
> Type:5  Code:1  REDIRECT
> D4 DF 45 1A 45 00 00 6D 0C 5B 00 00 31 06 9C C9  ..E.E..m.[..1...
> C0 56 06 17 D4 DF 45 1A 00 19 05 F1 01 C0 3E 5C  .V....E.......>\
> FD 84 55 85 50 18 10 00 F6 3D 00 00 32 35 30 20  ..U.P....=..250
> 6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
> 2E 63 6F 6D 20 48 65 6C 6C 6F 20 5B 32 31 32 2E  .com Hello [212.
> 32 32 33 2E 36 39 2E 32 36 5D 2C 20 70 6C 65 61  223.69.26], plea
> 73 65 64 20 74 6F 20 6D 65 65 74 20 79 6F 75 0D  sed to meet you.
> 0A 31 36 3A 01 00 00 00 31 20 2D 30 37 30 30 20  .16:....1 -0700
> 28 50 44 54 29                                   (PDT)
> 
> If metis was talking to 212.223.69.17, why would it think it was
> talking to 212.223.69.26?
> 
> Bob
> ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
> Bob Van Cleef, Member of Technical Staff         (408) 734-8100
> MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
> 376 Martin Ave., Santa Clara, CA 95050  vancleef at ...211...
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list