Rerouting Attacks

A router ICMP redirect message directs a host to use another router as its path to a particular destination because it has a better route. The rules say a router will send redirects only to hosts on its own local subnets. No user host will ever send a redirect and no redirect will travel more than one network hop. Unfortunately, attackers don’t play by the rules. Some attacks are based on this.

Figure 5-6 shows a situation where using the host default gateway wouldn’t reach the target destination in network 10.1.1.0. The following debug message shows Rtr1 sending a debug message to host 192.168.1.10 to use router Rtr2 (192.168.1.200) as the gateway to reach the destination 10.1.1.10.

Rtr1#debug ip icmp
ICMP packet debugging is on
ICMP: redirect sent to 192.168.1.10 for dest 10.1.1.10, use gw 192.168.1.200
Rtr1#

Figure 5-6: Router Rtr1 redirects traffic to Rtr2

By default, Cisco routers send ICMP redirects. You can use the interface subcommand no ip redirects to disable ICMP redirects. Another solution is to use an ACL to filter out any incoming ICMP redirects. The following code contains examples of each:

Rtr1(config)#interface ethernet 0
Rtr1(config-if)#no ip redirects
Rtr1(config-if)#^Z
Rtr1#
Rtr1#conf t
Rtr1(config)#access-list 125 deny ??icmp any any redirect
Rtr1(config)#access-list 125 permit ip any any 
Rtr1(config)#interface serial 0
Rtr1(config-if)#ip access-group 125 in
Rtr1(config-if)#^Z
Rtr1#

This filtering prevents only redirect attacks by remote attackers, but does nothing against an attacker that has internal access to the same segment as a host that’s under attack.