topic Large ICMP Traffic from multiple sources in Network Security

Large ICMP Traffic from multiple sources

mustafa.papdheen — Sun, 10 Mar 2019 12:24:13 GMT

Dear Support,

We have deployed Cisco IPS 4240 device which monitor only our company LAN traffic. Monitoring console shows that there are many internal IPs are contacting DNS servers wherein it shows "large ICMP traffic" as below. Let us know whether any action needs to be taken care on this or is it expected behaviour from CISCO IPS?

Name : Large ICMP Traffic

Source : many Internal IPs

Target : DNS servers running in Windows 2000 OS

Attacker Address	Target Address	Name
10.129.28.10	10.128.45.13	Large ICMP Traffic
10.129.28.10	10.128.45.13	Large ICMP Traffic
10.129.28.53	10.128.45.13	Large ICMP Traffic
10.129.28.53	10.128.45.13	Large ICMP Traffic
10.129.36.11	10.128.45.13	Large ICMP Traffic
10.129.36.11	10.128.45.13	Large ICMP Traffic
10.129.36.11	10.128.45.13	Large ICMP Traffic
10.129.36.11	10.128.45.13	Large ICMP Traffic
10.70.1.13	10.128.45.13	Large ICMP Traffic
10.70.1.13	10.128.45.13	Large ICMP Traffic
10.129.36.11	10.128.45.13	Large ICMP Traffic
10.129.36.11	10.128.45.13	Large ICMP Traffic
10.70.1.13	10.128.45.13	Large ICMP Traffic
10.70.1.13	10.128.45.13	Large ICMP Traffic

Large ICMP Traffic from multiple sources

Dustin Ralich — Wed, 13 Jul 2011 13:30:13 GMT

Based on the information you provided, I assume this is SIG 2151.0 (Large ICMP Traffic) firing, correct?

That particular signature is not enabled by-default (meaning, unless you have manually enabled it, it would not be firing on any traffic). That SIG looks for ICMP packets where the payload is greater-than 1,000 bytes. Back when this signature was first introduced (November, 2000), that was probably a more suspicious condition vs. present day.

By itself, that signature is not looking for a specific threat, so you would need to review a packet capture in a protocol analyzer to determine if the trigger traffic is actually malicious or not.

Large ICMP Traffic from multiple sources

rhermes — Wed, 13 Jul 2011 16:22:39 GMT

If it were a single site I'd suspect ICMP tunnleing, but since the target is a DNS server it might be due to MTU path discovery or F5 load balancers. Like Dustin said, untill you identify teh hosts and get some PCAPs it;s just guesswork

http://www.shmoo.com/mail/firewalls/jan01/msg00052.shtml

http://www.shmoo.com/mail/firewalls/jan01/msg00067.shtml

- Bob

Large ICMP Traffic from multiple sources

mustafa.papdheen — Sat, 16 Jul 2011 06:13:54 GMT

Dear Bob,

Thanks for your response. Could you please let me know more details about MTU?.. As you said, all destination IPs are my company DNS server and not sure why clients are sending ICMP packet to DNS server instead of sending DNS query?

Your details on this issue will be very much required.

Regards

Babu

Large ICMP Traffic from multiple sources

rhermes — Mon, 18 Jul 2011 17:05:15 GMT

While discovering the largest possible Maximum Transmission Unit, your servers may indeed send large packets. This has been particularly noticed as symptom of F5 Load Balancers.

http://en.wikipedia.org/wiki/Path_MTU_Discovery

- Bob