GEN:SID 1:363
Message ICMP IRDP router advertisement
Summary This event is generated when an external server sends an ICMP IRDP router advertisement message to an internal server. This may indicate an attempt to cause a denial of service by adding spoofed router information to an IRDP-enabled host's routing table.
Impact Denial of service.
Detailed Information The ICMP Router Discovery Protocol (IRDP) is enabled by default on some Microsoft Windows and Sun Solaris operating systems. IRDP messages broadcast network routing information, and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their local routing tables before using routes discovered via DHCP.

An attacker can exploit this behavior by broadcasting IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker.

Note that if an attacker is on the internal network, he/she can use valid routing addresses in the spoofed IRDP messages to passively monitor other machines or to perform "man-in-the-middle" attacks.
Affected Systems Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98SE
Sun Solaris 2.6
Attack Scenarios An attacker crafts spoofed IRDP broadcast messages and forwards them to a target network. If the messages are not filtered by the firewall and are broadcast to the internal network, some IRDP-enabled hosts begin routing traffic through the routes advertised in the IRDP broadcast message, which can cause a denial of service condition.
Ease of Attack Simple. A proof-of-concept exists.
Corrective Action For vulnerable Windows computers, disable IRDP on the system (see http://support.microsoft.com/support/kb/articles/q216/1/41.asp).

For vulnerable Solaris 2.6 computers, install the patch provided by Sun (see http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access).

Use a packet filtering firewall to block ICMP type 9 packets from entering the internal network.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875

Arachnids:
http://www.whitehats.com/info/IDS174

Bugtraq:
http://www.securityfocus.com/bid/578

RFC:
http://www.cotse.com/CIE/RFC/Orig/rfc1256.txt

Rule References arachnids: 173
bugtraq: 578
cve: 1999-0875