Route table changing application

Hi All, In my security firewall, implemented source to notify any changes in route table using "NotifyRouteChange". ie., I am monitoring the route table, if any change in PC. If any body(process/application) changes routetable, NotifyRouteChange notifying via, Overlapped.hEvent that I registed earlier. It is working fine.

I would like to know which application is changing the route table table during my monitor. Is it possible to find the process/application name who is changing route table?

Give me some idea on this.

Regards, SRMJothi

Reply to
Jothi
Loading thread data ...

Routes are always updated / changed by the OS, unless you implicitly disabled ICMP redirects in the OS. How extensive is your route table / routing environment that you need to stare at that?

Reply to
Munpe Q

That's great. Now, would you like to give people a hint what equipment this might be applicable to? A PC? Some router? How about what _operating system_ this might be using?

You might start by examining what applications you have running. The only application that should be changing the routing table is a routing management application, such as 'routed' or 'gated' in *nix, based on Internet routing protocols. Do a search in your textbook for such acronyms as 'BGP', 'EGP, 'RIP' and 'OSPF'.

Old guy

Reply to
Moe Trin

Most sane operating systems have ignored ICMP type 5 for years, as it is a security problem. A blackhat can send such packets and redirect your host to where-ever they wish. When the (US) National Security Agency (nsa.gov) had a page with "recommended" firewall rules, that was a paraphrase of page 89 of the Cisco Security Guide.

deny icmp any any echo deny icmp any any redirect deny icmp any any mask-request permit icmp any (allow pings where needed obviously)

Translated, that is block Type 8, 5, 17. I disagree, suggesting that you allow 0, 3, 4 and 11 INBOUND, 3, 4, and 8 OUTBOUND, while denying _ALL_ else. Some may consider type 4 (Source Quench) as undesirable (possible DOS). YMMV (ICMP type 3 code 4 is necessary to support Path MTU. See RFC2923)

Old guy

Reply to
Moe Trin

Assuming the monkey is operating a windoze machine and not an open sores os, ICMP redirect has to be turned off.

Reply to
Munpe Q

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.