ICMP Flooding

jstevensen — Sun, 10 Mar 2019 10:09:04 GMT

I have a 2611xm with IOS/FW 12.4

After enabling IPS, I get the following when I show ip inspect sessions

Session 83E4AD08 (192.168.5.101:8)=>(192.168.240.251:0) icmp SIS_OPEN

Session 83C84EAC (192.168.5.101:8)=>(192.168.240.170:0) icmp SIS_OPEN

Session 83E4C2C8 (192.168.5.101:8)=>(192.168.240.217:0) icmp SIS_OPEN

Session 83E460E8 (192.168.5.101:8)=>(192.168.240.214:0) icmp SIS_OPEN

Session 83E41A38 (192.168.5.101:8)=>(192.168.240.186:0) icmp SIS_OPEN

Session 83E4DB40 (192.168.5.101:8)=>(192.168.241.26:0) icmp SIS_OPEN

Session 83C8E6EC (192.168.5.101:8)=>(192.168.240.155:0) icmp SIS_OPEN

Session 83C86724 (192.168.5.101:8)=>(192.168.240.153:0) icmp SIS_OPEN

Session 83E50C30 (192.168.5.101:8)=>(192.168.240.250:0) icmp SIS_OPEN

Session 83E41780 (192.168.5.101:8)=>(192.168.240.175:0) icmp SIS_OPEN

Session 83C8DC0C (192.168.5.101:8)=>(192.168.240.171:0) icmp SIS_OPEN

Session 83C8E9A4 (192.168.5.101:8)=>(192.168.240.191:0) icmp SIS_OPEN

Session 83E45608 (192.168.5.101:8)=>(192.168.240.187:0) icmp SIS_OPEN

Session 83E47138 (192.168.5.101:8)=>(192.168.241.31:0) icmp SIS_OPEN

Session 83E5FD68 (192.168.5.101:8)=>(192.168.240.164:0) icmp SIS_OPEN

Session 83C81024 (192.168.5.101:8)=>(192.168.241.79:0) icmp SIS_OPEN

Session 83E56528 (192.168.5.101:8)=>(192.168.241.69:0) icmp SIS_OPEN

Session 83E42A88 (192.168.5.101:8)=>(192.168.240.239:0) icmp SIS_OPEN

Session 83C8AB1C (192.168.5.101:8)=>(192.168.240.196:0) icmp SIS_OPEN

Session 83C84BF4 (192.168.5.101:8)=>(192.168.240.192:0) icmp SIS_OPEN

Session 83E5DF80 (192.168.5.101:8)=>(192.168.240.149:0) icmp SIS_OPEN

Session 83E5BEE0 (192.168.5.101:8)=>(192.168.240.139:0) icmp SIS_OPEN

Session 83C88254 (192.168.5.101:8)=>(192.168.240.181:0) icmp SIS_OPEN

Session 83C8DEC4 (192.168.254.161:138)=>(192.168.5.11:138) udp SIS_OPEN

Session 83C8B08C (192.168.5.101:8)=>(192.168.240.213:0) icmp SIS_OPEN

Session 83E4A798 (192.168.5.101:8)=>(192.168.240.209:0) icmp SIS_OPEN

My question is this: Why is it being allowed, and logged, but not prevented?

This machine obviously has a worm on it - but I'd like to at least be able to have the IPS block it till we can get to the machine.

Re: ICMP Flooding

Fernando_Meza — Sat, 05 Aug 2006 20:22:04 GMT

Hi .. check the signatures that relate to icmp floods they might be configured to alert and log only by default ..

I hope it helps .. please rate if it does !!!

Re: ICMP Flooding

jstevensen — Mon, 07 Aug 2006 10:13:11 GMT

What do I check for specifically? I read on Cisco.com that you cant configure with the CLI:

Quote:

Action Configuration via CLI No Longer Supported

Cisco IOS IPS actions (such as resetting the TCP connection) can no longer be configured via CLI. If you are using the attack-drop.sdf signature file, the signatures are preset with actions to mitigate the attack by dropping the packet and resetting the connection, if applicable. If you are using VMS or SDM to deploy signatures to the router, you will need to tune the signatures to use the desired actions before the deployment.

topic Re: ICMP Flooding in Network Security

ICMP Flooding

Re: ICMP Flooding

Re: ICMP Flooding