07-09-2011 10:33 PM - edited 03-10-2019 05:24 AM
Dear Support,
We have deployed Cisco IPS 4240 device which monitor only our company LAN traffic. Monitoring console shows that there are many internal IPs are contacting DNS servers wherein it shows "large ICMP traffic" as below. Let us know whether any action needs to be taken care on this or is it expected behaviour from CISCO IPS?
Name : Large ICMP Traffic
Source : many Internal IPs
Target : DNS servers running in Windows 2000 OS
Attacker Address | Target Address | Name |
10.129.28.10 | 10.128.45.13 | Large ICMP Traffic |
10.129.28.10 | 10.128.45.13 | Large ICMP Traffic |
10.129.28.53 | 10.128.45.13 | Large ICMP Traffic |
10.129.28.53 | 10.128.45.13 | Large ICMP Traffic |
10.129.36.11 | 10.128.45.13 | Large ICMP Traffic |
10.129.36.11 | 10.128.45.13 | Large ICMP Traffic |
10.129.36.11 | 10.128.45.13 | Large ICMP Traffic |
10.129.36.11 | 10.128.45.13 | Large ICMP Traffic |
10.70.1.13 | 10.128.45.13 | Large ICMP Traffic |
10.70.1.13 | 10.128.45.13 | Large ICMP Traffic |
10.129.36.11 | 10.128.45.13 | Large ICMP Traffic |
10.129.36.11 | 10.128.45.13 | Large ICMP Traffic |
10.70.1.13 | 10.128.45.13 | Large ICMP Traffic |
10.70.1.13 | 10.128.45.13 | Large ICMP Traffic |
07-13-2011 06:30 AM
Based on the information you provided, I assume this is SIG 2151.0 (Large ICMP Traffic) firing, correct?
That particular signature is not enabled by-default (meaning, unless you have manually enabled it, it would not be firing on any traffic). That SIG looks for ICMP packets where the payload is greater-than 1,000 bytes. Back when this signature was first introduced (November, 2000), that was probably a more suspicious condition vs. present day.
By itself, that signature is not looking for a specific threat, so you would need to review a packet capture in a protocol analyzer to determine if the trigger traffic is actually malicious or not.
07-13-2011 09:22 AM
If it were a single site I'd suspect ICMP tunnleing, but since the target is a DNS server it might be due to MTU path discovery or F5 load balancers. Like Dustin said, untill you identify teh hosts and get some PCAPs it;s just guesswork
http://www.shmoo.com/mail/firewalls/jan01/msg00052.shtml
http://www.shmoo.com/mail/firewalls/jan01/msg00067.shtml
- Bob
07-15-2011 11:13 PM
Dear Bob,
Thanks for your response. Could you please let me know more details about MTU?.. As you said, all destination IPs are my company DNS server and not sure why clients are sending ICMP packet to DNS server instead of sending DNS query?
Your details on this issue will be very much required.
Regards
Babu
07-18-2011 10:05 AM
While discovering the largest possible Maximum Transmission Unit, your servers may indeed send large packets. This has been particularly noticed as symptom of F5 Load Balancers.
http://en.wikipedia.org/wiki/Path_MTU_Discovery
- Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide