Icmp Message Types - Learning Module

Loading content...

0/228

Redirect

The Network's Course Correction

Imagine you're driving to a destination and your GPS routes you through a particular intersection. A traffic officer stops you and says: "Next time you want to go that direction, take the left turn right here instead of driving all the way to me first. It's a shorter path." The officer lets you continue your current route but has just taught you a better route for future trips.

This is exactly how ICMP Redirect (Type 5) works in IP networks. A router that forwards a packet sends a Redirect message back to the source saying: "You sent this packet to me, but there's a better gateway on your same network. Next time, send directly there."

Redirect messages enable dynamic route optimization without requiring hosts to run routing protocols. However, they also represent one of the most significant security vulnerabilities in ICMP, leading to their widespread deprecation in modern networks.

What You Will Learn

By the end of this page, you will understand the complete mechanics of ICMP Redirect messages, their legitimate use cases, the four redirect code values, why they present security risks, and how modern networks handle (or disable) them. You'll gain insight into a protocol feature that solved early routing problems but became a liability.

The Problem Redirect Solves

ICMP Redirect addresses a specific inefficiency in networks with multiple gateways. Consider a LAN with two routers:

Router A (192.168.1.1): Default gateway, routes to the Internet
Router B (192.168.1.2): Routes to remote corporate offices via WAN link
Host (192.168.1.100): Configured with only Router A as default gateway

When the host wants to reach a corporate office (10.20.30.0/24), it sends the packet to Router A (its only known gateway). Router A knows that Router B is the correct gateway for that destination, forwards the packet to Router B, then sends an ICMP Redirect to the host.

Converting Mermaid diagram...

The Efficiency Gain:

Without Redirect, the inefficient path persists:

Host → Router A → Router B → Destination (every packet)

With Redirect, after the first packet:

Host → Router B → Destination (direct optimal path)

When Redirect is Generated:

A router generates a Redirect message when ALL of the following conditions are met:

The packet arrives on the same interface as the optimal outgoing interface
The source IP address is on the same network as the next-hop gateway
The packet is not source-routed
The redirect's gateway is directly reachable from the source host
The router is configured to send redirects (not always true today)

The Same-Interface Requirement

The key condition is that the packet arrives and departs on the same interface. This means the source host and the better gateway are on the same LAN. The router essentially says: "You could have sent this directly to your neighbor instead of through me."

Redirect Message Format

The ICMP Redirect message has a unique format among ICMP messages—it includes a Gateway Address field specifying the recommended next-hop router.

ICMP Redirect Message Structure

Packet Layout

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Type (5)    |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                     Gateway IP Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                 Original IP Header (20-60 bytes)              +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              First 8 Bytes of Original Datagram              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
Type:    5 (Redirect)
Code:    0 = Redirect for Network
         1 = Redirect for Host
         2 = Redirect for TOS and Network
         3 = Redirect for TOS and Host
Gateway: IP address of the recommended router
Data:    Original IP header + first 8 bytes (for identification)

ICMP Redirect Code Values
Code	Name	Scope	Description
0	Redirect for Network	Network-wide	All traffic to the destination network should use the specified gateway
1	Redirect for Host	Host-specific	Only traffic to this specific host should use the specified gateway
2	Redirect for TOS and Network	TOS-specific network	Traffic to this network with this Type of Service should use the gateway
3	Redirect for TOS and Host	TOS-specific host	Traffic to this host with this Type of Service should use the gateway

Code Selection Logic:

Code 0 (Network Redirect): Generated when the router determines that an entire network is better served by the alternative gateway. The host should update its routing table to send all traffic for that network prefix via the new gateway.

Code 1 (Host Redirect): Generated when only traffic to this specific destination host should use the alternative gateway. Other hosts on the same network may still use the original router.

Codes 2-3 (TOS Redirects): These refine the redirect based on Type of Service/DSCP values. A host might use different gateways for different traffic classes. These are rarely implemented in practice.

In modern networks, Code 1 (Host Redirect) is most commonly seen, as router implementations tend to be conservative about making network-wide routing suggestions.

Redirect Processing Behavior

When a host receives an ICMP Redirect, it must decide whether to trust and act on the message. This decision has significant security implications.

Host Redirect Processing Steps

•Step 1: Validation — Host verifies the Redirect came from its current gateway for this destination
•Step 2: Reachability Check — Host confirms the suggested gateway is on a directly connected network
•Step 3: Routing Cache Update — If valid, host adds/modifies a host-route in its routing cache
•Step 4: Timeout — The cached route typically expires after a period (varies by OS)
•Step 5: Future Traffic — Subsequent packets to this destination use the new gateway

Routing Cache vs. Routing Table

ICMP Redirects typically update a temporary routing cache, not the persistent routing table. This means redirect-learned routes expire after a timeout (often 10-20 minutes). If the redirect isn't reinforced, the host reverts to its default gateway. This limits the damage from malicious redirects but also means redirects must be continuously maintained.

Observing Redirect Behavior on Linux
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Check if redirect acceptance is enabled
cat /proc/sys/net/ipv4/conf/all/accept_redirects
# 1 = enabled, 0 = disabled
 
cat /proc/sys/net/ipv4/conf/eth0/accept_redirects
# Per-interface setting
 
# Check if redirect sending is enabled (on routers)
cat /proc/sys/net/ipv4/conf/all/send_redirects
 
# View current routing cache (older kernels)
# Modern kernels (4.x+) don't expose this directly
ip route show cache
 
# Monitor for ICMP Redirects
sudo tcpdump -i eth0 'icmp[0]=5' -nn -v
 
# Sample output:
# IP 192.168.1.1 > 192.168.1.100: ICMP redirect 10.20.30.0/24 to host 192.168.1.2
 
# View kernel messages for redirect processing
dmesg | grep -i redirect
 
# Check routing table for redirect-added routes
ip route show | grep redirected
 
# Disable redirect processing (security hardening)
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
 
# Make persistent
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf

Operating System Redirect Behavior:

OS	Accept Redirects Default	Validation	Cache Duration
Linux (kernel 2.x-3.x)	Enabled	Basic (from default GW)	5-10 minutes
Linux (kernel 4.x+)	Disabled	N/A (ignored)	N/A
Windows 10/11	Enabled	Checks gateway reachability	Variable
macOS	Enabled	Basic validation	20 minutes
FreeBSD	Enabled by default	Configurable strictness	5 minutes
Cisco IOS	N/A (routers, not hosts)	Sends redirects	N/A

Note: Modern Linux kernels (4.x and later) disable redirect acceptance by default as a security measure. This is controlled by net.ipv4.conf.*.accept_redirects.

Security Vulnerabilities: ICMP Redirect Attacks

Critical Security Risk

ICMP Redirect is one of the most dangerous ICMP message types from a security perspective. An attacker who can send forged ICMP Redirect messages can redirect traffic through their own machine, enabling man-in-the-middle attacks. This is why modern systems disable redirect acceptance by default.

The Attack Scenario:

Attacker is on the same LAN as the victim
Victim trusts ICMP Redirects (default on older/misconfigured systems)
Attacker sends forged ICMP Redirect to victim:
- Source IP: Spoofed as victim's default gateway
- Gateway IP: Attacker's own IP address
- Destination: The target the attacker wants to intercept
Victim updates routing cache to send traffic through attacker
Attacker receives victim's traffic, can inspect/modify, then forwards to real destination
Neither victim nor destination knows traffic is being intercepted

Converting Mermaid diagram...

Attack Capabilities Enabled by Redirect Exploitation

•Traffic Interception: All redirected traffic passes through attacker's machine
•Credential Theft: Unencrypted credentials (HTTP, FTP, Telnet) captured in plaintext
•Session Hijacking: Attacker can inject data into ongoing TCP sessions
•SSL Stripping: Attacker can downgrade HTTPS to HTTP before forwarding
•DNS Poisoning: Attacker can modify DNS responses to redirect victim further
•Connection Reset: Attacker can selectively drop or reset connections

Why This Attack Works:

No Authentication: ICMP has no authentication mechanism. Any packet with correct structure is processed.
Source Spoofing: Attacker forges source IP to appear as the legitimate gateway.
Local Network Access: The same-subnet requirement means attacker is already on the LAN, where spoofing is easiest.
Default Trust: Older/misconfigured systems accept redirects by default without strong validation.

Defense Mechanisms

Given the security risks, modern networks implement multiple layers of defense against ICMP Redirect attacks.

Host-Level Defenses

•Disable redirect acceptance: sysctl net.ipv4.conf.all.accept_redirects=0
•Enable strict validation: Only accept from current firsthop router
•Use static routes: Configure explicit routes for critical destinations
•Enable secure mode: Linux secure_redirects sysctl
•Monitor for redirects: Log and alert on ICMP type 5 receipt

Network-Level Defenses

•Disable redirect sending on routers: no ip redirects on interfaces
•Filter ICMP at perimeter: Block type 5 at edge firewalls
•Enable BPDU guard / port security: Prevent rogue devices on switches
•Use 802.1X authentication: Ensure only authorized hosts on LAN
•Deploy DHCP snooping: Prevent rogue DHCP/routing attacks

Hardening Against ICMP Redirect Attacks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Complete sysctl hardening for ICMP Redirects
 
# Disable accepting ICMP redirects (all interfaces)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
 
# Also disable for IPv6
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
 
# Enable secure redirects (accept only from default gateway)
# This is a fallback if you can't disable entirely
net.ipv4.conf.all.secure_redirects = 1
 
# Disable sending ICMP redirects (if this is a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
 
# Log suspicious packets (martians, etc.)
net.ipv4.conf.all.log_martians = 1
 
# Apply: sudo sysctl -p /etc/sysctl.conf

Secure Redirects vs. Disabled Redirects

Linux's 'secure_redirects' option accepts redirects only from gateways listed in the default gateway list. This provides some protection while maintaining redirect functionality. However, complete disabling (accept_redirects=0) is recommended for security-critical systems.

Redirect Deprecation in Modern Networks

ICMP Redirect was designed for an era when hosts had minimal routing intelligence and networks had simple topologies. Modern networks have largely moved beyond the scenarios where Redirect provided value.

Why Redirects Are Obsolete

•DHCP provides optimal gateway: Modern DHCP configurations deliver the correct default gateway for each subnet, eliminating the multi-gateway confusion Redirect solved
•First Hop Redundancy Protocols: VRRP, HSRP, and GLBP provide virtual gateway IPs that abstract physical router selection from hosts
•L3 switches eliminate the scenario: Modern networks use L3 switches as default gateways; inter-VLAN routing doesn't create redirect conditions
•Static routes for special destinations: Critical routes are configured statically in DHCP or host configuration
•Security outweighs convenience: The MITM attack risk is unacceptable for the minor optimization gained
•Modern OS defaults: Linux 4.x+ and hardened Windows disable redirect acceptance by default

Redirect Necessity by Network Era
Era	Typical Topology	Redirect Utility	Security Model
1980s-1990s	Simple LANs, multiple routers via hubs	High - hosts truly needed redirection	Trust-based LANs
2000s	Switched networks, VLANs emerging	Medium - some multi-router LANs existed	Growing security awareness
2010s	L3 at access layer, FHRP common	Low - proper design eliminated need	Zero-trust emerging
2020s+	Software-defined, micro-segmented	None - disabled by default everywhere	Zero-trust assumed

Edge Cases Where Redirects Might Still Apply

In very simple or legacy environments (small offices with consumer routers, home networks with unusual configurations), redirects might still technically function. However, even in these cases, proper static route configuration or DHCP options are preferred solutions. There is no modern use case where ICMP Redirect is the recommended approach.

IPv6 Redirect Differences

IPv6 also supports Redirect messages, but with somewhat different semantics integrated with Neighbor Discovery Protocol (NDP) rather than standalone ICMP.

IPv4 vs IPv6 Redirect Comparison
Aspect	IPv4 (ICMPv4)	IPv6 (ICMPv6/NDP)
Message Type	Type 5 (standalone ICMP)	Type 137 (part of NDP)
Sent By	Any router	Only the current first-hop router
Validation	Minimal (OS-dependent)	Must come from link-local address of current router
Target Format	IPv4 address only	Target + Destination + optional link-layer address
Security	None (easily spoofed)	Improved (source link-local verification)
SEcure Neighbor Discovery	N/A	SEND can cryptographically protect Redirects

ICMPv6 Redirect (Type 137) Improvements:

Source Address Validation: ICMPv6 Redirect must come from the link-local address of the current first-hop router. Link-local addresses (fe80::/10) are not routable, making remote spoofing impossible.
Target and Destination Fields: ICMPv6 Redirect includes both the target (new next-hop) and the destination being redirected. The target can be the destination itself (for on-link destinations) or another router.
Optional Link-Layer Address: The redirect can include the target's link-layer address, allowing immediate communication without an additional neighbor solicitation.
SEND Compatibility: Secure Neighbor Discovery (SEND, RFC 3971) can cryptographically sign NDP messages including Redirects, providing authentication. However, SEND deployment is rare.

IPv6 Redirect Still Has Risks

Despite improvements, ICMPv6 Redirect attacks are still possible if an attacker is on the local link. The link-local source requirement only prevents remote attacks. Local attackers can still forge redirects. Most security guidance recommends disabling IPv6 redirects as well.

Disabling IPv6 Redirects
Linux
1
2
3
4
5
6
7
8
9
10
# Disable ICMPv6 redirect acceptance
sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
 
# Verify
cat /proc/sys/net/ipv6/conf/all/accept_redirects
 
# Make persistent
echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf

Practical Scenarios and Troubleshooting

While recommending redirect disabling, network engineers must understand scenarios where redirects might appear and how to troubleshoot related issues.

Scenarios Generating Redirects

•Asymmetric Gateway Configuration: Site A hosts configured with Router 1 as gateway, but optimal path to Site B is via Router 2 on the same subnet
•VPN Gateway on LAN: VPN concentrator on same subnet as default gateway; traffic to VPN destinations gets redirected
•Legacy Dual-Homed Servers: Server with multiple NICs where one NIC's router knows better path via the other NIC's subnet
•Misconfigured VRRP/HSRP: Backup router receiving traffic meant for failed master, redirecting to restored master
•Transit Networks: Core router receiving packets that should bypass it entirely

Troubleshooting Redirect Issues
Diagnostic Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Capture ICMP Redirects on network
sudo tcpdump -i eth0 'icmp[0]=5' -nn -v
 
# Sample output:
# IP 192.168.1.1 > 192.168.1.100: ICMP redirect 10.0.0.0/8 to host 192.168.1.2
 
# This tells us:
# - Router 192.168.1.1 is sending redirects
# - Traffic for 10.0.0.0/8 should use 192.168.1.2 instead
# - Host 192.168.1.100 received this redirect
 
# Check if host is accepting redirects
sysctl net.ipv4.conf.eth0.accept_redirects
 
# Check routing cache for redirect-learned routes (older kernels)
ip route show cache | grep redirect
 
# Check kernel log for redirect messages
dmesg | grep -i "redirect"
 
# Force redirect expiration by flushing route cache
ip route flush cache
 
# On the router generating redirects - verify interface settings
# Cisco: show ip interface | include redirect
# Linux router: sysctl net.ipv4.conf.eth0.send_redirects
 
# The FIX: Proper solution is usually one of:
# 1. Configure proper default gateway in DHCP
# 2. Add static route for specific destination
# 3. Use OSPF/routing protocol for dynamic updates
# 4. Reconfigure network topology to eliminate the condition

Redirect as a Diagnostic Signal

While you should disable redirect acceptance, seeing redirects in packet captures is valuable diagnostic information. It reveals suboptimal routing configuration. Instead of relying on redirects to fix the problem dynamically, use them as signals to fix the underlying network design.

Summary: Understanding ICMP Redirect

ICMP Redirect represents a fascinating case study in protocol evolution—a feature that solved real problems in early networks but became a significant security liability as networks evolved and threat models matured.

Key Takeaways

•Type 5 = Redirect — Four codes (0-3) covering network, host, and TOS-specific redirections
•Original purpose: Optimize routing when hosts had limited routing knowledge and multiple gateways existed on a LAN
•Trigger condition: Router receives packet on same interface as optimal outbound path, with source/destination on that same subnet
•Security risk is severe: Enables trivial man-in-the-middle attacks via forged redirect messages; attacker can intercept all traffic
•Modern systems disable by default: Linux 4.x+, hardened Windows, and security-conscious networks reject redirects
•IPv6 improves but doesn't solve: ICMPv6 Redirect requires link-local sources, preventing remote attacks but not local ones
•Proper design eliminates need: DHCP, FHRP (VRRP/HSRP), and L3 access layers make redirects unnecessary
•Use as diagnostic signal: Seeing redirects in captures indicates suboptimal network design worth fixing

Page Complete

You now understand ICMP Redirect messages comprehensively—their mechanics, security implications, and obsolescence in modern networks. You can configure systems to reject redirects and recognize when network design causes redirect generation. Next, we'll explore Source Quench—another deprecated ICMP message with an interesting history.

Redirect

The Network's Course Correction

What You Will Learn

The Problem Redirect Solves

ICMP Redirect addresses a specific inefficiency in networks with multiple gateways. Consider a LAN with two routers:

Router A (192.168.1.1): Default gateway, routes to the Internet
Router B (192.168.1.2): Routes to remote corporate offices via WAN link
Host (192.168.1.100): Configured with only Router A as default gateway

Converting Mermaid diagram...

The Efficiency Gain:

Without Redirect, the inefficient path persists:

Host → Router A → Router B → Destination (every packet)

With Redirect, after the first packet:

Host → Router B → Destination (direct optimal path)

When Redirect is Generated:

A router generates a Redirect message when ALL of the following conditions are met:

The packet arrives on the same interface as the optimal outgoing interface
The source IP address is on the same network as the next-hop gateway
The packet is not source-routed
The redirect's gateway is directly reachable from the source host
The router is configured to send redirects (not always true today)

The Same-Interface Requirement

Redirect Message Format

The ICMP Redirect message has a unique format among ICMP messages—it includes a Gateway Address field specifying the recommended next-hop router.

ICMP Redirect Message Structure

Packet Layout

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Type (5)    |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                     Gateway IP Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                 Original IP Header (20-60 bytes)              +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              First 8 Bytes of Original Datagram              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
Type:    5 (Redirect)
Code:    0 = Redirect for Network
         1 = Redirect for Host
         2 = Redirect for TOS and Network
         3 = Redirect for TOS and Host
Gateway: IP address of the recommended router
Data:    Original IP header + first 8 bytes (for identification)

ICMP Redirect Code Values
Code	Name	Scope	Description
0	Redirect for Network	Network-wide	All traffic to the destination network should use the specified gateway
1	Redirect for Host	Host-specific	Only traffic to this specific host should use the specified gateway
2	Redirect for TOS and Network	TOS-specific network	Traffic to this network with this Type of Service should use the gateway
3	Redirect for TOS and Host	TOS-specific host	Traffic to this host with this Type of Service should use the gateway

Code Selection Logic:

Code 1 (Host Redirect): Generated when only traffic to this specific destination host should use the alternative gateway. Other hosts on the same network may still use the original router.

In modern networks, Code 1 (Host Redirect) is most commonly seen, as router implementations tend to be conservative about making network-wide routing suggestions.

Redirect Processing Behavior

When a host receives an ICMP Redirect, it must decide whether to trust and act on the message. This decision has significant security implications.

Host Redirect Processing Steps

•Step 1: Validation — Host verifies the Redirect came from its current gateway for this destination
•Step 2: Reachability Check — Host confirms the suggested gateway is on a directly connected network
•Step 3: Routing Cache Update — If valid, host adds/modifies a host-route in its routing cache
•Step 4: Timeout — The cached route typically expires after a period (varies by OS)
•Step 5: Future Traffic — Subsequent packets to this destination use the new gateway

Routing Cache vs. Routing Table

Observing Redirect Behavior on Linux
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Check if redirect acceptance is enabled
cat /proc/sys/net/ipv4/conf/all/accept_redirects
# 1 = enabled, 0 = disabled
 
cat /proc/sys/net/ipv4/conf/eth0/accept_redirects
# Per-interface setting
 
# Check if redirect sending is enabled (on routers)
cat /proc/sys/net/ipv4/conf/all/send_redirects
 
# View current routing cache (older kernels)
# Modern kernels (4.x+) don't expose this directly
ip route show cache
 
# Monitor for ICMP Redirects
sudo tcpdump -i eth0 'icmp[0]=5' -nn -v
 
# Sample output:
# IP 192.168.1.1 > 192.168.1.100: ICMP redirect 10.20.30.0/24 to host 192.168.1.2
 
# View kernel messages for redirect processing
dmesg | grep -i redirect
 
# Check routing table for redirect-added routes
ip route show | grep redirected
 
# Disable redirect processing (security hardening)
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
 
# Make persistent
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf

Operating System Redirect Behavior:

OS	Accept Redirects Default	Validation	Cache Duration
Linux (kernel 2.x-3.x)	Enabled	Basic (from default GW)	5-10 minutes
Linux (kernel 4.x+)	Disabled	N/A (ignored)	N/A
Windows 10/11	Enabled	Checks gateway reachability	Variable
macOS	Enabled	Basic validation	20 minutes
FreeBSD	Enabled by default	Configurable strictness	5 minutes
Cisco IOS	N/A (routers, not hosts)	Sends redirects	N/A

Note: Modern Linux kernels (4.x and later) disable redirect acceptance by default as a security measure. This is controlled by net.ipv4.conf.*.accept_redirects.

Security Vulnerabilities: ICMP Redirect Attacks

Critical Security Risk

The Attack Scenario:

Attacker is on the same LAN as the victim
Victim trusts ICMP Redirects (default on older/misconfigured systems)
Attacker sends forged ICMP Redirect to victim:
- Source IP: Spoofed as victim's default gateway
- Gateway IP: Attacker's own IP address
- Destination: The target the attacker wants to intercept
Victim updates routing cache to send traffic through attacker
Attacker receives victim's traffic, can inspect/modify, then forwards to real destination
Neither victim nor destination knows traffic is being intercepted

Converting Mermaid diagram...

Attack Capabilities Enabled by Redirect Exploitation

•Traffic Interception: All redirected traffic passes through attacker's machine
•Credential Theft: Unencrypted credentials (HTTP, FTP, Telnet) captured in plaintext
•Session Hijacking: Attacker can inject data into ongoing TCP sessions
•SSL Stripping: Attacker can downgrade HTTPS to HTTP before forwarding
•DNS Poisoning: Attacker can modify DNS responses to redirect victim further
•Connection Reset: Attacker can selectively drop or reset connections

Why This Attack Works:

No Authentication: ICMP has no authentication mechanism. Any packet with correct structure is processed.
Source Spoofing: Attacker forges source IP to appear as the legitimate gateway.
Local Network Access: The same-subnet requirement means attacker is already on the LAN, where spoofing is easiest.
Default Trust: Older/misconfigured systems accept redirects by default without strong validation.

Defense Mechanisms

Given the security risks, modern networks implement multiple layers of defense against ICMP Redirect attacks.

Host-Level Defenses

•Disable redirect acceptance: sysctl net.ipv4.conf.all.accept_redirects=0
•Enable strict validation: Only accept from current firsthop router
•Use static routes: Configure explicit routes for critical destinations
•Enable secure mode: Linux secure_redirects sysctl
•Monitor for redirects: Log and alert on ICMP type 5 receipt

Network-Level Defenses

•Disable redirect sending on routers: no ip redirects on interfaces
•Filter ICMP at perimeter: Block type 5 at edge firewalls
•Enable BPDU guard / port security: Prevent rogue devices on switches
•Use 802.1X authentication: Ensure only authorized hosts on LAN
•Deploy DHCP snooping: Prevent rogue DHCP/routing attacks

Hardening Against ICMP Redirect Attacks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Complete sysctl hardening for ICMP Redirects
 
# Disable accepting ICMP redirects (all interfaces)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
 
# Also disable for IPv6
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
 
# Enable secure redirects (accept only from default gateway)
# This is a fallback if you can't disable entirely
net.ipv4.conf.all.secure_redirects = 1
 
# Disable sending ICMP redirects (if this is a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
 
# Log suspicious packets (martians, etc.)
net.ipv4.conf.all.log_martians = 1
 
# Apply: sudo sysctl -p /etc/sysctl.conf

Secure Redirects vs. Disabled Redirects

Redirect Deprecation in Modern Networks

Why Redirects Are Obsolete

•DHCP provides optimal gateway: Modern DHCP configurations deliver the correct default gateway for each subnet, eliminating the multi-gateway confusion Redirect solved
•First Hop Redundancy Protocols: VRRP, HSRP, and GLBP provide virtual gateway IPs that abstract physical router selection from hosts
•L3 switches eliminate the scenario: Modern networks use L3 switches as default gateways; inter-VLAN routing doesn't create redirect conditions
•Static routes for special destinations: Critical routes are configured statically in DHCP or host configuration
•Security outweighs convenience: The MITM attack risk is unacceptable for the minor optimization gained
•Modern OS defaults: Linux 4.x+ and hardened Windows disable redirect acceptance by default

Redirect Necessity by Network Era
Era	Typical Topology	Redirect Utility	Security Model
1980s-1990s	Simple LANs, multiple routers via hubs	High - hosts truly needed redirection	Trust-based LANs
2000s	Switched networks, VLANs emerging	Medium - some multi-router LANs existed	Growing security awareness
2010s	L3 at access layer, FHRP common	Low - proper design eliminated need	Zero-trust emerging
2020s+	Software-defined, micro-segmented	None - disabled by default everywhere	Zero-trust assumed

Edge Cases Where Redirects Might Still Apply

IPv6 Redirect Differences

IPv6 also supports Redirect messages, but with somewhat different semantics integrated with Neighbor Discovery Protocol (NDP) rather than standalone ICMP.

IPv4 vs IPv6 Redirect Comparison
Aspect	IPv4 (ICMPv4)	IPv6 (ICMPv6/NDP)
Message Type	Type 5 (standalone ICMP)	Type 137 (part of NDP)
Sent By	Any router	Only the current first-hop router
Validation	Minimal (OS-dependent)	Must come from link-local address of current router
Target Format	IPv4 address only	Target + Destination + optional link-layer address
Security	None (easily spoofed)	Improved (source link-local verification)
SEcure Neighbor Discovery	N/A	SEND can cryptographically protect Redirects

ICMPv6 Redirect (Type 137) Improvements:

Source Address Validation: ICMPv6 Redirect must come from the link-local address of the current first-hop router. Link-local addresses (fe80::/10) are not routable, making remote spoofing impossible.
Target and Destination Fields: ICMPv6 Redirect includes both the target (new next-hop) and the destination being redirected. The target can be the destination itself (for on-link destinations) or another router.
Optional Link-Layer Address: The redirect can include the target's link-layer address, allowing immediate communication without an additional neighbor solicitation.
SEND Compatibility: Secure Neighbor Discovery (SEND, RFC 3971) can cryptographically sign NDP messages including Redirects, providing authentication. However, SEND deployment is rare.

IPv6 Redirect Still Has Risks

Disabling IPv6 Redirects
Linux
1
2
3
4
5
6
7
8
9
10
# Disable ICMPv6 redirect acceptance
sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
 
# Verify
cat /proc/sys/net/ipv6/conf/all/accept_redirects
 
# Make persistent
echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf

Practical Scenarios and Troubleshooting

While recommending redirect disabling, network engineers must understand scenarios where redirects might appear and how to troubleshoot related issues.

Scenarios Generating Redirects

•Asymmetric Gateway Configuration: Site A hosts configured with Router 1 as gateway, but optimal path to Site B is via Router 2 on the same subnet
•VPN Gateway on LAN: VPN concentrator on same subnet as default gateway; traffic to VPN destinations gets redirected
•Legacy Dual-Homed Servers: Server with multiple NICs where one NIC's router knows better path via the other NIC's subnet
•Misconfigured VRRP/HSRP: Backup router receiving traffic meant for failed master, redirecting to restored master
•Transit Networks: Core router receiving packets that should bypass it entirely

Troubleshooting Redirect Issues
Diagnostic Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Capture ICMP Redirects on network
sudo tcpdump -i eth0 'icmp[0]=5' -nn -v
 
# Sample output:
# IP 192.168.1.1 > 192.168.1.100: ICMP redirect 10.0.0.0/8 to host 192.168.1.2
 
# This tells us:
# - Router 192.168.1.1 is sending redirects
# - Traffic for 10.0.0.0/8 should use 192.168.1.2 instead
# - Host 192.168.1.100 received this redirect
 
# Check if host is accepting redirects
sysctl net.ipv4.conf.eth0.accept_redirects
 
# Check routing cache for redirect-learned routes (older kernels)
ip route show cache | grep redirect
 
# Check kernel log for redirect messages
dmesg | grep -i "redirect"
 
# Force redirect expiration by flushing route cache
ip route flush cache
 
# On the router generating redirects - verify interface settings
# Cisco: show ip interface | include redirect
# Linux router: sysctl net.ipv4.conf.eth0.send_redirects
 
# The FIX: Proper solution is usually one of:
# 1. Configure proper default gateway in DHCP
# 2. Add static route for specific destination
# 3. Use OSPF/routing protocol for dynamic updates
# 4. Reconfigure network topology to eliminate the condition

Redirect as a Diagnostic Signal

Summary: Understanding ICMP Redirect

Key Takeaways

•Type 5 = Redirect — Four codes (0-3) covering network, host, and TOS-specific redirections
•Original purpose: Optimize routing when hosts had limited routing knowledge and multiple gateways existed on a LAN
•Trigger condition: Router receives packet on same interface as optimal outbound path, with source/destination on that same subnet
•Security risk is severe: Enables trivial man-in-the-middle attacks via forged redirect messages; attacker can intercept all traffic
•Modern systems disable by default: Linux 4.x+, hardened Windows, and security-conscious networks reject redirects
•IPv6 improves but doesn't solve: ICMPv6 Redirect requires link-local sources, preventing remote attacks but not local ones
•Proper design eliminates need: DHCP, FHRP (VRRP/HSRP), and L3 access layers make redirects unnecessary
•Use as diagnostic signal: Seeing redirects in captures indicates suboptimal network design worth fixing

Page Complete