Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1138
Views
0
Helpful
4
Replies

Large ICMP Traffic from multiple sources

mustafa.papdheen
Level 1
Level 1

‎07-09-2011 10:33 PM - edited ‎03-10-2019 05:24 AM

Dear Support,

We have deployed Cisco IPS 4240 device which monitor only our company LAN traffic. Monitoring console shows that there are many internal IPs are contacting DNS servers wherein it shows "large ICMP traffic" as below. Let us know whether any action needs to be taken care on this or is it expected behaviour from CISCO IPS?

Name : Large ICMP Traffic

Source : many Internal IPs

Target : DNS servers running in Windows 2000 OS

Attacker AddressTarget AddressName
10.129.28.1010.128.45.13Large ICMP Traffic
10.129.28.1010.128.45.13Large ICMP Traffic
10.129.28.5310.128.45.13Large ICMP Traffic
10.129.28.5310.128.45.13Large ICMP Traffic
10.129.36.1110.128.45.13Large ICMP Traffic
10.129.36.1110.128.45.13Large ICMP Traffic
10.129.36.1110.128.45.13Large ICMP Traffic
10.129.36.1110.128.45.13Large ICMP Traffic
10.70.1.1310.128.45.13Large ICMP Traffic
10.70.1.1310.128.45.13Large ICMP Traffic
10.129.36.1110.128.45.13Large ICMP Traffic
10.129.36.1110.128.45.13Large ICMP Traffic
10.70.1.1310.128.45.13Large ICMP Traffic
10.70.1.1310.128.45.13Large ICMP Traffic
Labels:
0 Helpful
4 Replies 4

Dustin Ralich
Cisco Employee
Cisco Employee

‎07-13-2011 06:30 AM

Based on the information you provided, I assume this is SIG 2151.0 (Large ICMP Traffic) firing, correct?

That particular signature is not enabled by-default (meaning, unless you have manually enabled it, it would not be firing on any traffic). That SIG looks for ICMP packets where the payload is greater-than 1,000 bytes. Back when this signature was first introduced (November, 2000), that was probably a more suspicious condition vs. present day.

By itself, that signature is not looking for a specific threat, so you would need to review a packet capture in a protocol analyzer to determine if the trigger traffic is actually malicious or not.

0 Helpful

rhermes
Level 7
Level 7

‎07-13-2011 09:22 AM

If it were a single site I'd suspect ICMP tunnleing, but since the target is a DNS server it might be due to MTU path discovery or F5 load balancers. Like Dustin said, untill you identify teh hosts and get some PCAPs it;s just guesswork

http://www.shmoo.com/mail/firewalls/jan01/msg00052.shtml

http://www.shmoo.com/mail/firewalls/jan01/msg00067.shtml

- Bob

0 Helpful

mustafa.papdheen
Level 1
Level 1
In response to rhermes

‎07-15-2011 11:13 PM

Dear Bob,

Thanks for your response. Could you please let me know more details about MTU?.. As you said, all destination IPs are my company DNS server and not sure why clients are sending ICMP packet to DNS server instead of sending DNS query?

Your details on this issue will be very much required.

Regards

Babu

0 Helpful

rhermes
Level 7
Level 7
In response to mustafa.papdheen

‎07-18-2011 10:05 AM

While discovering the largest possible Maximum Transmission Unit, your servers may indeed send large packets. This has been particularly noticed as symptom of F5 Load Balancers.

http://en.wikipedia.org/wiki/Path_MTU_Discovery

- Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card