ICMP Redirects from residential customer subnets?

• Previous message (by thread): ICMP Redirects from residential customer subnets?
• Next message (by thread): ICMP Redirects from residential customer subnets?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is expected and will happen if the consumer router receives traffic
not destined for it for most consumer devices.

In the Ethernet world, it's usually the result of an active MAC falling out
of the table (e.g. disconnected) before the ARP entry on the router
expires.  The default behavior is to flood the unknown packet out every
port.  On a Cisco switch you would be looking at using something like UUFB
(unknown unicast flood blocking).

You might want to keep an eye on resource usage on your routers if you're
seeing this problem. Without UUFB there is a considerable uptick in ARP and
ICMP traffic caused by this behavior, usually driving up CPU.




On Wed, May 9, 2012 at 10:19 AM, ML <ml at kenweb.org> wrote:

> Last night I was troubleshooting a strange issue where Apple products (So
> far just MacOS and Airports) were losing internet connectivity sporadically.
>
> Originally I thought it was an IPv6 transition technology causing the
> problem but the customer couldn't even ping their default GW via v4.
>
> To rule out the customer mistyping/giving us wrong information on what
> they were seeing  I attempted to verify IP connectivity from my DHCP server
> to them.  I pinged the IP they had retrieved via DHCP earlier.
>
> What I got back were ICMP redirects interspersed with echo replies from
> the customer I was pinging.  The redirects were of the form:
>
> "Redirect Host(New nexthop: x.y.z.23)" The nexthop being an IP of the
> customer I was troubleshooting.  Thinking that was very odd I setup an ACL
> on the vlan serving that subnet to log ICMP redirects.  What I found was
> one IP x.y.z.56 sending redirects to IPs on my network as well as several
> IPs outside my network.  As far as I know there is no legitimate reason for
> a residential PC or home gateway to send ICMP redirects. There were also a
> few dozen other IPs on that subnet sending ICMP redirects.  A majority of
> them had 68:7f:74 (Cisco-Linksys) OUIs.  There were also some Belkins and
> one ASUStek OUIs.
>
> The 68:7f:74 source MACs were dispersed amongst many customers not all
> from the same customer.  Which leads me to believe there is either a bugged
> Linksys firmware or an exploited Linksys home gateway causing trouble.
>
> Has anyone ever seen something like this before?
>
> Is there any reason to see ICMP redirects on a single homed residential
> subnet? I'm considering adding ICMP redirects to my customer edge ACL
> unless there is a legitimate purpose for these packets.
>
>
> Thanks
> -ML
>
>
>
>
>
>


-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

• Previous message (by thread): ICMP Redirects from residential customer subnets?
• Next message (by thread): ICMP Redirects from residential customer subnets?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]