Showing results for 
Search instead for 
Did you mean: 


Large ICMP Traffic from multiple sources

Dear Support,

We have deployed Cisco IPS 4240 device which monitor only our company LAN traffic. Monitoring console shows that there are many internal IPs are contacting DNS servers wherein it shows "large ICMP traffic" as below. Let us know whether any action needs to be taken care on this or is it expected behaviour from CISCO IPS?

Name : Large ICMP Traffic

Source : many Internal IPs

Target : DNS servers running in Windows 2000 OS

Attacker AddressTarget AddressName ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic ICMP Traffic
Dustin Ralich
Cisco Employee

Based on the information you provided, I assume this is SIG 2151.0 (Large ICMP Traffic) firing, correct?

That particular signature is not enabled by-default (meaning, unless you have manually enabled it, it would not be firing on any traffic). That SIG looks for ICMP packets where the payload is greater-than 1,000 bytes. Back when this signature was first introduced (November, 2000), that was probably a more suspicious condition vs. present day.

By itself, that signature is not looking for a specific threat, so you would need to review a packet capture in a protocol analyzer to determine if the trigger traffic is actually malicious or not.

Rising star

If it were a single site I'd suspect ICMP tunnleing, but since the target is a DNS server it might be due to MTU path discovery or F5 load balancers. Like Dustin said, untill you identify teh hosts and get some PCAPs it;s just guesswork

- Bob

Dear Bob,

Thanks for your response. Could you please let me know more details about MTU?.. As you said, all destination IPs are my company DNS server and not sure why clients are sending ICMP packet to DNS server instead of sending DNS query?

Your details on this issue will be very much required.



While discovering the largest possible Maximum Transmission Unit, your servers may indeed send large packets. This has been particularly noticed as symptom of F5 Load Balancers.

- Bob

Recognize Your Peers
Content for Community-Ad