[152688] in North American Network Operators' Group
ICMP Redirects from residential customer subnets?
daemon@ATHENA.MIT.EDU (ML)
Wed May 9 10:20:47 2012
Date: Wed, 09 May 2012 10:19:24 -0400
From: ML <ml@kenweb.org>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Last night I was troubleshooting a strange issue where Apple products
(So far just MacOS and Airports) were losing internet connectivity
sporadically.
Originally I thought it was an IPv6 transition technology causing the
problem but the customer couldn't even ping their default GW via v4.
To rule out the customer mistyping/giving us wrong information on what
they were seeing I attempted to verify IP connectivity from my DHCP
server to them. I pinged the IP they had retrieved via DHCP earlier.
What I got back were ICMP redirects interspersed with echo replies from
the customer I was pinging. The redirects were of the form:
"Redirect Host(New nexthop: x.y.z.23)" The nexthop being an IP of the
customer I was troubleshooting. Thinking that was very odd I setup an
ACL on the vlan serving that subnet to log ICMP redirects. What I found
was one IP x.y.z.56 sending redirects to IPs on my network as well as
several IPs outside my network. As far as I know there is no legitimate
reason for a residential PC or home gateway to send ICMP redirects.
There were also a few dozen other IPs on that subnet sending ICMP
redirects. A majority of them had 68:7f:74 (Cisco-Linksys) OUIs. There
were also some Belkins and one ASUStek OUIs.
The 68:7f:74 source MACs were dispersed amongst many customers not all
from the same customer. Which leads me to believe there is either a
bugged Linksys firmware or an exploited Linksys home gateway causing
trouble.
Has anyone ever seen something like this before?
Is there any reason to see ICMP redirects on a single homed residential
subnet? I'm considering adding ICMP redirects to my customer edge ACL
unless there is a legitimate purpose for these packets.
Thanks
-ML
