RE: What could this icmp mean?

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 02/24/05

  • Next message: Ramon Kagan: "Re: Configuring a linux client with NIS Plus" 
    To: "'Tomas'" <s.tomas@gmail.com>, <security-basics@securityfocus.com>
Date: Thu, 24 Feb 2005 14:00:49 -0800

    1. Your devices on the 10.30.1.x network have 10.30.1.254 as their
        default gateway, but traffic to 10.30.0.x needs to go by 10.30.1.1
        instead. 10.30.1.254 is attempting to inform 10.30.1.16 that if
        it wants to send traffic to 10.30.0.4, it could save a hop by
        sending those packets directly to 10.30.1.1 instead of relying
        on 10.30.1.254 to forward them.

        Since most clients don't know what to do with ICMP redirects, and
        will just ignore them, it's common to turn them off at the router
        interface.

    2. ICMP packets carry, as payload, a portion of the packet that triggered
        the ICMP. It's no surprise that the checksum contained within this
        partial quotation is a checksum for the full packet, and not just the
        quoted portion. It would be a near-miracle if these computed to the
        same value.

    David Gillett

    > -----Original Message-----
    > From: Tomas [mailto:s.tomas@gmail.com]
    > Sent: Tuesday, February 22, 2005 5:11 AM
    > To: security-basics@securityfocus.com
    > Subject: What could this icmp mean?
    >
    >
    > Hello list,
    >
    > We have networks (10.30.0.0/24 and 10.30.1.0/24) connected
    > trough VPN and
    > one internet line. The gateways for VPN are 10.30.0.1 from
    > one side and
    > 10.30.1.1 from the other, and 10.30.1.254 for internet (for
    > both networks).
    >
    > I've launched tcpdump today on my internet firewall's
    > internal interface
    > (10.30.1.254) and I found this:
    >
    > 10.30.1.254 > 10.30.1.16: icmp: redirect 10.30.0.4 to host
    > 10.30.1.1 for
    > 10.30.1.16.445 > 10.30.0.4.1959: [|tcp] (DF) (ttl 127, id
    > 7691, bad cksum
    > c76d! differs by 100) (ttl 255, id 23807)
    >
    > I'm a bit confused, what could this icmp mean? First of all,
    > I'm sure that
    > neither of these hosts (10.30.1.254, 10.30.1.16, 10.30.0.4)
    > are sending any
    > icmp requests (I'm not sure about 10.30.1.1; it's not in my
    > control). And
    > the second of all, why the checksum is bad?
    >

  • Next message: Ramon Kagan: "Re: Configuring a linux client with NIS Plus"

    Relevant Pages

    • RE: TCP/IP Stack Hardening
      ... Crappy network performance and file transfer timeouts but boy ... frag" packets. ... Disabling PMTU discovery reduces ALL packets to 576 bytes or ... may need to redirect traffic to a different gateway (e.g. Internet ...
      (Focus-Microsoft)
    • Re: tcpip gateway question
      ... to also sit on the University network 137.222.0.0/16. ... connect to any node with ssh and ping any local node from any node ... packets transmitted, 4 packets received, 0% packet loss ... connectivity to the default gateway on the University side. ...
      (comp.os.vms)
    • Re: [Full-Disclosure] Troubles with Wireless pentest
      ... you should get the mac address of the gateway. ... mac of incoming packets. ... The network had a weak point = its wireless network. ...
      (Full-Disclosure)
    • RE: ICMP type 12 packets
      ... I am seeing ICMP type 12 packets being returned to my network from ... They are destined for 386 unique IPs in our network, ...
      (Incidents)
    • Re: Cant get internet working in Linux
      ... > as a gateway (it is in fact a proxy ... > server for our network, and its gateway ... Exactly - 192.168.10.3 is complaining that you are sending the packets to ...
      (comp.os.linux.networking)