Well you have heard of arp poisoning and dns cache poisoning,this attack is quite similar but require alot of knowledge to perform it correctly.
So what we will do, we use icmp redirect host packet to add a fake routing entry in victim machine to do MITM(Man In The Middle) or DOS(Denial Of service) or DNS Poisoning.Yes that's the beauty, all three can be done using this attack.
Redirect requests data packets be sent on an alternative route. ICMP Redirect is a mechanism for routers to convey routing information to hosts. The message informs a host to update its routing information (to send packets on an alternative route). If a host tries to send data through a router (R1) and R1 sends the data on another router (R2) and a direct path from the host to R2 is available (that is, the host and R2 are on the same Ethernet segment), then R1 will send a redirect message to inform the host that the best route for the destination is via R2. The host should then send packets for the destination directly to R2.
The routing table poisoning would most likely be employed in a network penetration testing scenario whereby extensive layer 2 security features are enabled limiting the effectiveness of layer 2 attacks such as ARP cache poisoning and rogue DHCP server attack.
Step1: Craft icmp redirect packet usign scapy
|Craft ICMP Host Redirect Packet|
Step2: Result:Let have a look at victims routing table:
|Poisoned Routing Table of Victim|
As you can see we have successfully poisoned routing table of victim for '184.108.40.206' and '10.1.1.1' without making any noise.So now victim will contact attacker in order to contact '220.127.116.11' because according to its poisoned routing table attacker have shortest path to '18.104.22.168'.