ICMP redirect attack and ICMP unreachable message attack

ICMP redirect attack and ICMP unreachable message attack

00X1 written in front

Recently, various malformed packets and some special packets have been studied, and corresponding packet detection and interception need to be performed according to the characteristics of these attacks. All other attacks will have time to write later. When I studied ICMP redirection and unreachable packet attacks, I found it very interesting. The ICMP protocol often exists in ping in our network to test the network connectivity between two hosts. I have also heard before These two types of attacks, but how to understand these attack processes and the principle of attack.
Please study with me

00x2 Introduction to Two Attack Principles

ICMP redirect attack

Here we first assume that there are two computers. Under normal circumstances, two machines need to pass a route when they communicate with each other on the network, but the router has a strategy that when a machine in the network is found to use a non-optimized route, the route will Send a special ICMP redirected message to that machine, telling the machine to change the route and make the machine's route optimal. This optimization and non-optimization can understand that the two points are the shortest straight line, how to get it fast, this itself It is a beneficial mechanism for the network.
However, this ICMP redirect special message that changes the route can be forged, and does not need to undergo some verification and legality check. In other words, the attacker can send an ICMP redirect message to the victim host, forcing the victim host to change the routing table.


ICMP redirection attack packets can force the host to change the route to the attacker's host, then the host's traffic needs to pass through the attacker's host.
An attacker can intercept, extract, analyze, modify, and replay the user user's data packets, sniff and hijack the traffic, and man-in-the-middle agents, causing multiple security threats.

ICMP unreachable packet attack

First analyze the situation of ICMP unreachable messages.
In the three handshake phase, TCP will receive ICMP "destination unreachable" messages:
1. After the client sends a SYN request to the server through the connect system call, the server has The process processes the request at the corresponding address or port, at which time the client will receive an ICMP unreachable message.
2. The client side crashes after sending a SYN request through the connect system call. The server side sends a SYN | ACK after receiving the SYN. ​​The client side sends an ICMP unreachable message to the server after receiving the SYN | ACK.
Different hosts process ICMP unreachable packets differently. Some hosts directly consider that the subsequent packets sent to this destination address are unreachable after receiving ICMP messages from the network or the host is unreachable, thus cutting off the purpose Ground connection with the host.


An attacker can forge an unreachable ICMP message. When another host sends a SYN request, it immediately sends a fake ICMP unreachable message to cut off the connection between the victim and the destination and cause an attack.

00X3 attack test

ICMP redirect attack

Preparation: One kali virtual machine (attacker), one ubuntu virtual machine (victim)
tool: netwox tool
The following is the topology map of the ICMP redirection attack, borrowed from other great gods QAQ.
Insert picture description here
Insert picture description here
Victim: The
Insert picture description here
attacker forged a route to send an ICMP redirect message to the victim

netwox 86 -f "host" -g "" -i ""
-f 过滤数据包这里只抓Ubuntu的数据包
-g 重定向包需要受害者更改的新路由,这里指向kali
-i Ubuntu 原来的路由

Insert picture description here
Ubuntu wireshark packet analysis

Some redirected data packets are caught, and the changed routing data packets are sent from the default gateway. This is actually a redirected data packet forged by an attacker.
Insert picture description here
Type: 5 in the ICMP packet, Gateway address (gateway address): attacker IP, source is the original gateway address. All these are fake packets.
Insert picture description here
Next, let's use Ubuntu to ping Baidu, and everyone will find that the packets are redirected to our attacker.
Take a look at the request packet of the DNS query, and you will find that the packet originally sent to is sent to the kali machine. Ubuntu uses kali as the default gateway.
Insert picture description here

ICMP unreachable packet attack

The preparations are the same as before, so I won't go into details here. Start directly.
Netwox 82 is used here. Students who are not familiar with netwox can check netwox for a detailed explanation to see how this kit is used and what it is used for. There are various packet construction tools in it, which are quite powerful.

kali attack

netwox 82 -f "host" -i ""
-f 过滤数据包     -i  受害者当前网关地址/路由地址

Insert picture description here
Ubuntu wieshark packet capture analysis
The following packets were captured using Ubuntu ping baidu.com. Take a closer look. Kali forged to send target unreachable packets to Ubuntu. Deceive Ubuntu not to access Baidu.
Insert picture description here
This is the result of ubuntu ping. The unreachable data packets are shown to be sent from In fact, the attacker forged the data packets, which has already played a deceptive effect.
Insert picture description here
Next, we use kali to ping Ubuntu to see the effect. The
same is true. The packets are intermittent, which has a very good deception effect.
Insert picture description here

00X4 How to protect

  1. You can use a firewall to filter ICMP redirect packets. When there is such a packet, the packet is discarded.
  2. I used snort IPS to block this kind of data packet, in fact, it was also combined with the firewall to block. Snort ICMP redirect attack rules are as follows:
    ICMP unreachable packet attack detection rules are as follows:
    Insert picture description here

00X5 Summary

ICMP redirect attacks and ICMP unreachable message attacks both use the flaws of the protocol design, so that attackers can forge these two types of packets to attack and deceive the victims.
Follow-up will bring you all kinds of malformed message attacks (LAND attack, teardrop attack, blue bomb, smurf attack, etc.), flood attacks (UDP flood, SYN flood, TCP flood, etc.), application layer (CC attacks, DNS flooding, etc.) Research on DOSS attacks, to study their attack patterns, how to detect and block these attacks.

The best time to plant a tree is ten years ago and now, I hope to live up to Shaohua

Published 22 original articles · won 25 · views 3659

Guess you like

Origin blog.csdn.net/wuyou1995/article/details/105186240