Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
5
Replies

ICMP Requests Attack.

v.ram
Level 1
Level 1

‎05-12-2005 02:17 AM - edited ‎03-09-2019 11:14 AM

Hi,

I have an issue in our network. It was observed that our NMS workstation generating lots of ICMP request traffic to a remote network. First, we thought it might be associated with the polling. When we analysed using a Network Analyser, and found the interval between ICMP requests are sub-second (microseconds). Trace attached. We suspect it to be a ICMP Requests attack. But,we did unsuccessful scan of the NMS pc and found no virus/worms.

I believe many would have come across the current problem I am facing. I need to confirm the type of attack, how to detect and mitigate the same.

Note: 60% of the trace were repititions, hence deleted.

Thanks,

VJ

Labels:
Preview file
50 KB
0 Helpful
5 Replies 5

spremkumar
Level 9
Level 9

‎05-12-2005 03:42 AM

hi

would suggest to block 92byte icmp traffic which is being generated by Nachi worm..

also find the link to mitigate the same..

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html

hope this helps...

regds

0 Helpful

v.ram
Level 1
Level 1
In response to spremkumar

‎05-12-2005 05:51 AM

Hi,

Though the URL provided direction, it wasn't matching my scenario. There were no traces of Nimda worm in the system although the ICMP packets b/w the same source and destinations with 92 bytes. My intention was to provide a fix at the system level rather than limiting at router interface.

Thanks

VJ

0 Helpful

techanony
Level 1
Level 1

‎05-12-2005 11:14 AM

Before you draw the conclusion that it was the NMS workstation that sent a lot of ICMP requests, you may need to run a sniffer directly on it or check its ICMP protocol statistics to make sure it's not the case that other machine spoofed source IP and/or MAC addresses and were sending out those ICMP packets.

Just my two cents.

0 Helpful

v.ram
Level 1
Level 1
In response to techanony

‎05-13-2005 06:13 AM

Hi,

Thats a nice direction. Could you pls eloborate how can the source ip be spoofed and start attack.

Rgds,

Vj

0 Helpful

techanony
Level 1
Level 1
In response to v.ram

‎05-13-2005 07:05 AM

There are lots of security tools that are capable of doing this. For example, the hping tool with "-a" option.

If you want to craft ip packets in your own particular way and inject them into the network, there is a library called libnet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents