[lug] Any one seen anything like this before...
John Hernandez
John.Hernandez at noaa.gov
Tue May 8 11:23:38 MDT 2001
Could be a Qwest router issuing a redirect. It's not unusual to see a private IP address within an ISP network. When I traceroute from my ATT at Home cable modem connection, first hop shows as 10.80.72.1!
Any time you get an ICMP Redirect packet, the payload should contain the IP headers from the packet you presumably sent the router. Using this information, you should be able to determine if the Redirect was really in response to a valid packet you actually sent to the router.
-John
GeEk wrote:
>
> I keep seeing stuff like this in my SNORT logs.. I have DSL from qwuest...
> just wondering if anyone has seen the samething
>
> [**] IDS199 - CVE-1999-0265 - MISC-ICMPRedirectNet [**]
> 05/07-20:50:28.713110 63.227.8.254 -> 10.0.0.3
> ICMP TTL:254 TOS:0x0 ID:60263 IpLen:20 DgmLen:56
> Type:5 Code:0 REDIRECT
> 3F E3 0B B9 45 00 00 28 33 37 00 00 7E 06 B3 FB ?...E..(37..~...
> 0A 00 00 02 3F E3 0B B9 04 7D 00 50 53 3B 2A 4D ....?....}.PS;*M
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> [**] IDS199 - CVE-1999-0265 - MISC-ICMPRedirectNet [**]
> 05/07-20:52:21.778143 63.227.8.254 -> 10.0.0.3
> ICMP TTL:254 TOS:0x0 ID:60723 IpLen:20 DgmLen:56
> Type:5 Code:0 REDIRECT
> 3F E3 0B B9 45 00 05 DC 33 35 40 00 3E 06 AE 48 ?...E...35 at .>..H
> 0A 00 00 03 3F E3 0B B9 00 50 3D DE B6 F3 88 A3 ....?....P=.....
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> --
>
> Brian Carpio
>
> -----
>
> When you die and your life flashes before your eyes does
> that include the part where your life flashes before your
> eyes?
>
> -----
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list