1 / 22

ICMP Redirection

ICMP Redirection. Introduction. ICMP route redirect message is normally sent by the default router to the system to indicate that there’s a shorter route to some particular destination. Hacker can forge an ICMP redirect message to achieve a similar effect of ARP cache poisoning.

myrna
Download Presentation

ICMP Redirection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ICMP Redirection

  2. Introduction • ICMP route redirect message is normally sent by the default router to the system to indicate that there’s a shorter route to some particular destination. • Hacker can forge an ICMP redirect message to achieve a similar effect of ARP cache poisoning.

  3. Internet Control Message Protocol (ICMP) • ICMP is designed to compensate for the deficiencies of IP protocol • IP protocol has no error-reporting or error-correcting mechanism. • E.g. drop a datagram because no router is found or time-to-live field has a zero value. • IP protocol also lacks a mechanism for host and management queries. • E.g. need information from other host or router.

  4. Position of ICMP in the network layer

  5. ICMP itself is a network layer protocol. However, its messages are not passed directly to the data link layer. Instead, the messages are first encapsulated inside IP datagrams.

  6. Figure 9-4 General format of ICMP messages

  7. 3: Destination unreachable 4: Source quench 11: time exceeded 12: Parameter Problem 5: Redirection 8,0: Echo request or reply 13,14: Timestamp request and reply 17,18: Address mask request and reply 10,9: Route solicitation and advertisement

  8. Redirection • When a router or host needs to send a packet destined for another network, it must know the IP address of the next appropriate router. • Router and host must have a routing table. • For efficiency hosts usually do not take part in the routing update process. • Static routing.

  9. The routing table of a host usually has a limited number of entries. • Knows the IP of only one router, the default router. • Host may send a datagram (to another network) to a wrong router. • The router that receives these datagram will • forward the datagram to a correct router. • update the routing table of the host by sending a redirection message.

  10. Figure 9-11

  11. Code 0: Redirection for network-specific route Code 1: Redirection for host-specific route Code 2: Redirection for network-specific route based on the specified type of service. Code 3: Redirection for the host-specific route based on the specified type of service.

  12. Figure 9-6

  13. Some hosts that receives an ICMP redirect performs some checks before modifying its routing table. • These are to prevent a misbehaving router or host, or a malicious user, from incorrectly, modifying a system's routing table. • However, it is not difficult to create a bogus ICMP message, which can pass all these tests.

  14. Common items that may be verified. • The new router must be on a directly connected network. • The redirect message must be sent from the current router for that destination. • The redirect message cannot tell the host to use the sender of the redirect message as the router. • The route that's being modified must be an indirect route.

  15. ICMP Spoofing • A hacker can fake an ICMP redirect message to achieve a similar effect of ARP cache poisoning. • Suppose the hacker (137.189.89.186) try to convince the target (137.189.89.184) that the shortest path to 137.189.8.146 is through 137.189.89.186. Assume the original default router is 137.189.91.254. • The following bogus packet will be sent.

  16. IP header ICMP Embedded header No need to fill in the bogus message

  17. Some Properties of ICMP redirect • Unlike ARP cache entries, those host routes won’t expire with time. • for some systems, they do expire • In our redhat 7.3 system, the udpated entries are stored in cache, and these entries will be expired. • Attack can be launched from anywhere. • The target can be stopped from talking to any particular address not on the same subnet. (DoS)

  18. Possible types of attacks • Sniffing • Man-in-the-middle attack • Session hijack • DoS • Nameserver • Router

  19. Demonstration • We will discuss the program “icmp_redir.c” • Experiment • Use Ethereal to capture the spoofed icmp redirect message. • Use the command “route -nC” to show that the target machine will accept the redirect and updates its routing cache table. • We can further show that subsequence packets sent to the original destination will be redirected to the “dummy host”.

  20. Preventions • Firewall • Block all the ICMP redirect messages coming outside the LAN. • It is not wise to rely on the firewall only. • Cannot block those hackers that can access your LAN. • Simply stop the ICMP redirect features • Disable your host to accept any ICMP redirect message.

  21. for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do • echo 0 > $f • done • For redhat 6.1 • For redhat 6.2 or above • You must restart your network for the change to take effect Edit the /etc/sysctl.conf file and add the following line: # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 /etc/rc.d/init.d/network restart

  22. References • Yuri Volobuev, “Playing redir games with ARP and ICMP”, it doesn’t seem to be published formally. • Forouzan, “TCP/IP protocol Suite”., Chapter 9. (Introduction to ICMP)

More Related