[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [ISSForum] ICMP_Flood from echo replies
I've thought about this a bit more, and I think that it is
unlikely that the router is corrupting packets. If the
router corrupted the type field of the icmp echo reply
traffic, the checksum would be incorrect, and the sensor
would ignore the traffic.
A more likely scenario is that a router, most likely the
default gateway configured for the system initiating the
scan, knows of a better route for the destination subnet.
As such, the router will send an ICMP Redirect message to
the initiator of the scan, potentially for each packet,
to alert the system of the alternate route.
If the scan causes the router to produce more than 100
redirect messages within a 1 second interval, it will
meet the criteria for the ICMP_Flood signature.
From: Langseth, Jacob (ISSAtlanta)
Sent: Thursday, September 25, 2003 19:35
To: 'Lewis, Eric'; issforum@xxxxxxx
Subject: RE: [ISSForum] ICMP_Flood from echo replies
By your reference to the coalescer, I assume that you are running a v7.0 network sensor.
In version 7.0, the ICMP_Flood signature will only trigger if > 100 non-echo-request
and non-echo-reply icmp packets have targetted a single host within a 1 second
interval. The ICMP_Flood signature should not trigger from a ping sweep, regardless
of the amount of traffic involved.
From the description of your problem, I would hazard the guess that the problematic
router interface may be corrupting the icmp type field of the echo reply packets.
This would certainly explain the behavior that you describe.
If it is possible, please execute an nmap ping sweep such that the traffic passes
through the problematic router interface, and make a packet capture of the icmp
If you are able to provide a capture, send it to me and I will attempt to improve upon
my diagnosis. If you are unable to disclose the capture, please take a look at the
traffic using a tool such as ethereal, and filter out all packets which do not have an
icmp type field of either 0 or 8 (icmp type 0 is an echo reply, icmp type 8 is an echo
request). If the router is corrupting the icmp type field of the response packets, the
corrupted packets should be visible in the filtered view of the capture.
Hope this helps,
From: Lewis, Eric [mailto:Eric.Lewis@xxxxxxxxxxx]
Sent: Thursday, September 25, 2003 10:41
Subject: [ISSForum] ICMP_Flood from echo replies
We have a machine setup on our network to perform an NMAP ping sweep of all internal subnets to look for new, unauthorized machines on our network. Once it finds an IP that it hasn't seen in the last 14 days, or never seen, it performs a Nessus and ISS scan on that machine, then emails the results. Anyway, for some reason I am seeing an enormous amount of ICMP_Floods, all echo replies(Type 0), from one of our router interfaces. Although the ping sweep hits all kinds of other router interfaces throughout the building only one gives us trouble. Most, but not all, are with a source of 0.0.0.0 which I'm assuming is the usually problems/issue with coalesced source addresses seen in ISS.
I really don't want to filter all ICMP traffic to this scanning machine so any ideas on why I would get ICMP_Floods, mainly with source 0.0.0.0, from one router interface?
Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH
Network Security Officer
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo