ICMP Redirect Message from Internal Host

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

ICMP Redirect Message from Internal Host

edit

Identifies ICMP Redirect messages (type 5 for IPv4, type 137 for IPv6) sourced from an internal IPv4 or IPv6 address. Legitimate redirects are normally sent only by on-path routers. A workstation or server emitting redirects can indicate route manipulation for adversary-in-the-middle activity.

Rule type: query

Rule indices:

  • logs-network_traffic.icmp-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Network
  • Tactic: Credential Access
  • Use Case: Threat Detection
  • Use Case: Network Security Monitoring
  • Data Source: Network Traffic
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating ICMP Redirect Message from Internal Host

ICMP Redirect instructs a host to send traffic for a destination through a different next hop. On most enterprise segments, only infrastructure routers should emit redirects; a user workstation or server doing so is a strong adversary-in-the-middle indicator.

Possible investigation steps

  • Identify the redirect source in source.ip and locate the asset on the VLAN. Confirm whether it is an authorized router or gateway.
  • Review the redirect target and affected destination in ICMP fields and adjacent flow records to see which routes or resolvers were being manipulated.
  • Check whether affected clients show DNS, gateway, or VPN routing changes around the alert time.
  • Correlate with DHCP, ARP, or LLMNR/NBT-NS alerts on the same segment for combined MITM activity.

False positive analysis

  • Some legacy network appliances, hypervisor gateways, or misconfigured Linux hosts with IP forwarding enabled may emit redirects. Maintain exceptions for known router and gateway IPs after validation.
  • Lab networks that intentionally test route injection should be scoped out by source subnet.

Response and remediation

  • Isolate the emitting host if it is not an authorized router.
  • Disable ICMP redirect acceptance on affected clients where policy allows, and block redirect-generating hosts at the access layer.
  • Review segment routing, default gateways, and DHCP options for unauthorized changes.

Setup

edit

Setup

This rule requires ICMP transaction telemetry from the Elastic network_traffic integration (network_traffic.icmp data stream). Flow-only exporters that do not record ICMP type/code will not satisfy this rule.

Rule query

edit
data_stream.dataset:network_traffic.icmp
  and (network_traffic.icmp.request.type:(5 or 137) or icmp.request.type:(5 or 137))
  and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FC00::/7" or "FE80::/10")

Framework: MITRE ATT&CKTM