Preface: Suspicious Router advertisementLogo -Internet Security Systems

Suspicious Router advertisement
advICE :Intrusions : 2000107
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

A suspicous looking ICMP Router Advertisement was seen. This could be a Denial-of-Service (DoS) attempt, or an attempt to redirect traffic in order to compromise the system.

Details

ICMP Router Advertisements are used in some networks so that you can find the local router without having to configure it.

On some systems, an advertisement can be created in order to remotely reconfigure a systems routing tables. Normally, such attacks are intended as simple Denial of Service. By messing up the routing tables, a system can no longer talk to its local router, and therefore the rest of the Internet.

In some special cases, such packets can be used to compromise the system. A nearby hacker on the same broadcast domain could use this technique to redirect all your traffic through his/her system, sniffing all its contents. A hacker could also use this technique to defeat VPNs, re-opening up supposedly closed communication with the rest of the Internet.

 more information
L0pht Advisory  
 
q216141   Microsoft article: How to disable IRDP
 
BugtraqID: 578   Multiple Vendor IRDP Vulnerability
 
CVE-1999-0875   DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.
 

 parametric information
numroutersThe number of routers specified by suspicious IRDP packet.
router1Address of the first router.
router2Address of the second router.
pref1Value of preference field for first router.
pref2Value of preference field for second router.

 
Version appeared: 2.1
Privacy Policy |  Copyright Info