[152698] in North American Network Operators' Group
Re: ICMP Redirects from residential customer subnets?
daemon@ATHENA.MIT.EDU (Phil)
Wed May 9 14:02:49 2012
In-Reply-To: <CALFTrnN-3+VGu_qr3h31vdYs+_erUUQukYh04yrcj_4QojdWXA@mail.gmail.com>
From: Phil <bedard.phil@gmail.com>
Date: Wed, 9 May 2012 14:00:44 -0400
To: Ray Soucy <rps@maine.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I've seen this reported as a bug recently with Cisco/Linksys since the devic=
e is responding to frames for which it isn't the destination MAC when it sho=
uld just discard them like the below case. Not all consumer gateways do th=
is. =20
But absolutely agree it is the ARP/MAC age out mismatch issue that is the li=
kely culprit. =20
Phil
On May 9, 2012, at 1:10 PM, Ray Soucy <rps@maine.edu> wrote:
> This is expected and will happen if the consumer router receives traffic
> not destined for it for most consumer devices.
>=20
> In the Ethernet world, it's usually the result of an active MAC falling ou=
t
> of the table (e.g. disconnected) before the ARP entry on the router
> expires. The default behavior is to flood the unknown packet out every
> port. On a Cisco switch you would be looking at using something like UUFB=
> (unknown unicast flood blocking).
>=20
> You might want to keep an eye on resource usage on your routers if you're
> seeing this problem. Without UUFB there is a considerable uptick in ARP an=
d
> ICMP traffic caused by this behavior, usually driving up CPU.
>=20
>=20
>=20
>=20
> On Wed, May 9, 2012 at 10:19 AM, ML <ml@kenweb.org> wrote:
>=20
>> Last night I was troubleshooting a strange issue where Apple products (So=
>> far just MacOS and Airports) were losing internet connectivity sporadical=
ly.
>>=20
>> Originally I thought it was an IPv6 transition technology causing the
>> problem but the customer couldn't even ping their default GW via v4.
>>=20
>> To rule out the customer mistyping/giving us wrong information on what
>> they were seeing I attempted to verify IP connectivity from my DHCP serv=
er
>> to them. I pinged the IP they had retrieved via DHCP earlier.
>>=20
>> What I got back were ICMP redirects interspersed with echo replies from
>> the customer I was pinging. The redirects were of the form:
>>=20
>> "Redirect Host(New nexthop: x.y.z.23)" The nexthop being an IP of the
>> customer I was troubleshooting. Thinking that was very odd I setup an AC=
L
>> on the vlan serving that subnet to log ICMP redirects. What I found was
>> one IP x.y.z.56 sending redirects to IPs on my network as well as several=
>> IPs outside my network. As far as I know there is no legitimate reason f=
or
>> a residential PC or home gateway to send ICMP redirects. There were also a=
>> few dozen other IPs on that subnet sending ICMP redirects. A majority of=
>> them had 68:7f:74 (Cisco-Linksys) OUIs. There were also some Belkins and=
>> one ASUStek OUIs.
>>=20
>> The 68:7f:74 source MACs were dispersed amongst many customers not all
>> from the same customer. Which leads me to believe there is either a bugg=
ed
>> Linksys firmware or an exploited Linksys home gateway causing trouble.
>>=20
>> Has anyone ever seen something like this before?
>>=20
>> Is there any reason to see ICMP redirects on a single homed residential
>> subnet? I'm considering adding ICMP redirects to my customer edge ACL
>> unless there is a legitimate purpose for these packets.
>>=20
>>=20
>> Thanks
>> -ML
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>=20
>=20
> --=20
> Ray Soucy
>=20
> Epic Communications Specialist
>=20
> Phone: +1 (207) 561-3526
>=20
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
