What is an ICMP Redirect message, and why is it relevant to MitM detection?
ICMP Redirect tells a host "use a different gateway for this destination." Routers send it when they detect a suboptimal path — including the path created by an active MitM attacker.
Normal use case:
If your default gateway notices you should use a different router for a specific destination, it sends:
ICMP Type 5 (Redirect): "For traffic to 8.8.8.8, use gateway 192.168.1.2 instead of me"
The host updates its routing table and sends future traffic via the better path.
Why this catches ARP spoofing:
When the attacker poisons the victim, packets flow:
Victim → Attacker → Real Gateway → Internet
The real gateway sees:
"Wait — packets from 192.168.1.42 (victim) are entering my interface from MAC AA:BB:CC (attacker). But the victim is on the same subnet, why is traffic going through this random host?"
It sends an ICMP Redirect back to the victim:
"Hey victim, for your traffic, use the gateway directly — don't route via attacker."
If the victim respects the redirect → MitM defeated.
Why attackers hate ICMP Redirects:
It's an automatic detection mechanism. Some attackers:
- Block outbound ICMP from victim → no redirect arrives
- Modify packets in transit to drop redirects
- Hope the victim's OS ignores redirects (some configs do)
OS handling:
Modern OSes are skeptical of redirects (they've been used in attacks themselves):
# Linux check
sysctl net.ipv4.conf.all.accept_redirects
# 0 = ignore (recommended for servers)
# 1 = accept (default for desktops sometimes)
A concrete example:
When using the ZyXEL router, you see ICMP Redirect packets in Wireshark — this is the router's defense kicking in. Without such a router, no redirects → MitM works fully.
Tip: Filter icmp.type == 5 in Wireshark to see all redirects in a capture. Frequent redirects = either bad routing config OR active MitM.
Go deeper:
ICMP (Wikipedia) — the Type 5 Redirect message and why a router emits it when a host's path looks suboptimal.