First, they are not Ethernet addresses; they are IP addresses, written in
hex. Here's the secret decoder ring (this seems to resurface every 6 months
or so, BTW):
C0C809BF
becomes C0 C8 09 BF
becomes 192.200.009.191
With this as a template, you should be able to translate the other two for
yourself.
With no real info about your LAN setup (especially, what host, if any, uses
IP address 192.200.9.50) or the routing table on boswell, I can't offer any
good guesses as to why you are getting redirects.
Other discussion currently on this list seems to reflect the suspicion that
they are associated with a MS-SQL exploit of some sort (does your OSX
server run MS-SQL, perchance? does a Mac-OSX version of MS-SQL even
exist?), but I've not seen it myself, nor have I seen any clear explanation
of why this exploit might be using icmp redirects (they *can* be used for
man-in-the-middle attacks by changing the routing of packets from routers
that are willing to act on them, but the one example we've actually seen of
an icmp packet from a server known to be running MS-SQL was destination
unreachable, not redirect).
Some other things to consider are ...
though you say "no firewall rules, etc.", I infer from the
"(incorrectly addressed) internal network" comment that the system does NAT
the LAN.
am I correct in infering that eth0 is your LAN interface?
At 04:15 PM 10/15/02 -0500, [EMAIL PROTECTED] wrote:
>Hi. I'm running Oxygen here as a dns (dnscache, tinydns) and dhcp server
>-- no firewall rules, etc...
>
>Today we started getting icmp redirect messages from one machine back to
>the oxygen machine. I stuck a log command in using ipchains and this is
>what I get:
>
>Oct 15 16:06:19 boswell kernel: Packet log: input ACCEPT eth0 PROTO=1
>192.200.9.191:5 192.200.9.111:1 L=56 S=0x00 I=52446 F=0x0000 T=255 (#1)
>Oct 15 16:06:19 boswell kernel: Redirect from C0C809BF/eth0 to C0C80932
>ignored.Path = C0C8096F -> C0C80932, tos 00
>
>I understand the icmp redirect, but not the addresses in the second line
>(C0C809BF, C0C80932, C0C8096F). These don't look like ethernet addresses.
>Can anyone help?
>
>Also, what would be causing the redirects?
>
>FYI:
>
>1. Yes, 192.200.9.0/24 is our (incorrectly addressed) internal network due
>to an accident of history.
>
>2. 192.200.9.191 is a Mac OSX server (the old rhapsody version) machine
>running a taxi-dispatching server process.
>
>3. 192.200.9.111 (boswell) is the Oxygen machine.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
