Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2714
Views
11
Helpful
6
Replies

ICMP Network Sweep w/Echo from VPN

snowmizer
Level 1
Level 1

‎06-08-2011 06:22 AM - edited ‎03-10-2019 05:22 AM

I am seeing occasional ICMP Network Sweep w/echo events from my IPS module. The attacker IP address is in our VPN range accessing internal servers (domain controller, server running our administration system). I don't think these are problems but I'm not sure.

Why would these be coming from VPN connections and why wouldn't they happen with everyone?

Thanks.

Labels:
0 Helpful
6 Replies 6

Justin Teixeira
Level 1
Level 1

‎06-08-2011 06:52 AM

Hi Snowmizer,

    There is nothing that I know of related to our VPN solutions that would cause the ICMP Network Sweep w/Echo signature to fire.  This signature simply means that the attacker IP pinged 5+ other addresses in succession.  You might want to check the IP(s) in question to see if they have any type of network management software installed as these are the usual benign triggers for this signature.  Otherwise, as the signature suggests, this might be a reconnaissance scan.

-JT

snowmizer
Level 1
Level 1
In response to Justin Teixeira

‎06-09-2011 07:39 AM

This appears to only be happening on one laptop in marketing when they are on the VPN so there aren't any network management tools installed on the laptop. It looks like it's always to the same servers. I can see references to port 135 or 445 for the IPs that are the targets.

Could this be part of the problem?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to snowmizer

‎06-16-2011 07:04 AM

This is a normal pain signature that should be turned on the IPS using event action filters.

Don't have to worry much about it triggering for LAN or VPN clients

Regards

Farrukh

snowmizer
Level 1
Level 1
In response to Farrukh Haroon

‎06-16-2011 07:09 AM

Thanks for the reply. I'll have to set some event action filters for this. My boss just asked me about it because it only appears to be happening with one person when they're on the VPN. Could be some software on their machine.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to snowmizer

‎06-16-2011 07:15 AM

If that is the case, I would recommend  to run wireshark or something similar to see what is triggering this on the host machine.

Regards

Farrukh

snowmizer
Level 1
Level 1
In response to Farrukh Haroon

‎06-16-2011 07:16 AM

That was the suggestion I gave to our help desk staff. Not sure what came out of it or if it was done. I guess if it continues to happen we'll have to get the machine again and do this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card