also sprach Stephen Gran <sgran@debian.org> [2006.11.03.1246 +0100]: > I see them at one installation at work. There, the gateway is > 10.103.4.3 or something, but some machines have their gateway > still set to the old router, 10.103.4.1. When packets arrive at > .1 for an internet site, .1 sends an icmp redirect to tell them to > use .3 instead, and they do. This is correct behavior by all > parties. It's some wasted network traffic, and we're cleaning it > up as we notice it, but it's harmless overall. Doesn't this also mean that I could plug into this network and send redirects for 10.103.4.3 to .251 (which is my machine) and snoop in on traffic that way? ICMP is, after all, datagram-based. Granted, I could do the same with ARP spoofs anyway, but arpwatch would detect those. Short of a complete snort install, I doubt people check ICMP redirects on their networks. Stephen, could you forward me the relevant log messages from your work gateway so that I can make sure to properly draft the logcheck filters? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems NP: Solar Project / Music from Time & Space (Volume 1)
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)