[conspire] Mischief people attempt on the Internet: ICMP redirects

[Rick Moen]

System log summary on my server, reported to me by Logcheck:

----- Forwarded message from logcheck system account <logcheck at linuxmafia.com> -----

Date: Sun, 13 Feb 2022 16:02:02 -0800
From: logcheck system account <logcheck at linuxmafia.com>
To: root at linuxmafia.com
Subject: linuxmafia.com 2022-02-13 16:02 System Events

System Events
=-=-=-=-=-=-=
Feb 13 15:28:26 linuxmafia kernel: [30038227.588155] Redirect from 160.97.6.88 on eth2 about 0.0.0.0 ignored.
Feb 13 15:28:26 linuxmafia kernel: [30038227.588162]   Advised path = 96.95.217.99 -> 160.97.7.14
Feb 13 15:28:26 linuxmafia kernel: [30038227.688310] Redirect from 160.97.6.88 on eth2 about 0.0.0.0 ignored.
Feb 13 15:28:26 linuxmafia kernel: [30038227.688319]   Advised path = 96.95.217.99 -> 160.97.7.13

----- End forwarded message -----


IP address 160.97.6.88, which is in Italy, asked my server's
Internet-facing ethernet port (eth2) to do an ICMP redirect of _all_
traffic (0.0.0.0) to IP address 160.97.7.14, likewise somewhere in Italy.  
ICMP redirect messages are legitimately used by routers to inform hosts
in their broadcast domains that a better path exists to some specific 
destination. 

Honouring these requests from nobody-in-particular would be a major
security vulnerability.  To quote
https://www.rapid7.com/db/vulnerabilities/linux-icmp-redirect/ :

  By default, many linux systems enable a feature called ICMP
  redirection, where the machine will alter its route table in response to
  an ICMP redirect message from any network device.

  There is a risk that this feature could be used to subvert a host's
  routing table in order to compromise its security (e.g., tricking it
  into sending packets via a specific route where they may be sniffed or
  altered).

My system's reaction was "Are you kidding?  No.  Go away."  This
behaviour can be controlled in /etc/sysctl.conf and/or via firewalling.
https://www.golinuxcloud.com/linux-disable-icmp-redirects/