Rule: -- Sid: 438 -- Summary: This event is generated when a network host generates an ICMP Redirect with an undefined ICMP code. -- Impact: Redirect messages are normally an indication that a shorter route to a particular destination exists. -- Detailed Information: ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. ICMP datagrams with undefined codes should never be seen on the network. This could be an indication of nefarious activity on the network. -- Attack Scenarios: Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. -- Ease of Attack: Numerous tools and scripts can generate this type of ICMP datagram. -- False Positives: ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. -- False Negatives: None known -- Corrective Action: Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams. -- Contributors: Original rule writer unknown Sourcefire Research Team Matthew Watchinski (matt.watchinski@sourcefire.com) -- Additional References: RFC792 --
