Last night I was troubleshooting a strange issue where Apple products
(So far just MacOS and Airports) were losing internet connectivity
sporadically.
Originally I thought it was an IPv6 transition technology causing the
problem but the customer couldn't even ping their default GW via v4.
To rule out the customer mistyping/giving us wrong information on what
they were seeing I attempted to verify IP connectivity from my DHCP
server to them. I pinged the IP they had retrieved via DHCP earlier.
What I got back were ICMP redirects interspersed with echo replies from
the customer I was pinging. The redirects were of the form:
"Redirect Host(New nexthop: x.y.z.23)" The nexthop being an IP of the
customer I was troubleshooting. Thinking that was very odd I setup an
ACL on the vlan serving that subnet to log ICMP redirects. What I found
was one IP x.y.z.56 sending redirects to IPs on my network as well as
several IPs outside my network. As far as I know there is no legitimate
reason for a residential PC or home gateway to send ICMP redirects.
There were also a few dozen other IPs on that subnet sending ICMP
redirects. A majority of them had 68:7f:74 (Cisco-Linksys) OUIs. There
were also some Belkins and one ASUStek OUIs.
The 68:7f:74 source MACs were dispersed amongst many customers not all
from the same customer. Which leads me to believe there is either a
bugged Linksys firmware or an exploited Linksys home gateway causing
trouble.
Has anyone ever seen something like this before?
Is there any reason to see ICMP redirects on a single homed residential
subnet? I'm considering adding ICMP redirects to my customer edge ACL
unless there is a legitimate purpose for these packets.
Thanks
-ML
