05-12-2005 02:17 AM - edited 03-09-2019 11:14 AM
Hi,
I have an issue in our network. It was observed that our NMS workstation generating lots of ICMP request traffic to a remote network. First, we thought it might be associated with the polling. When we analysed using a Network Analyser, and found the interval between ICMP requests are sub-second (microseconds). Trace attached. We suspect it to be a ICMP Requests attack. But,we did unsuccessful scan of the NMS pc and found no virus/worms.
I believe many would have come across the current problem I am facing. I need to confirm the type of attack, how to detect and mitigate the same.
Note: 60% of the trace were repititions, hence deleted.
Thanks,
VJ
05-12-2005 03:42 AM
hi
would suggest to block 92byte icmp traffic which is being generated by Nachi worm..
also find the link to mitigate the same..
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html
hope this helps...
regds
05-12-2005 05:51 AM
Hi,
Though the URL provided direction, it wasn't matching my scenario. There were no traces of Nimda worm in the system although the ICMP packets b/w the same source and destinations with 92 bytes. My intention was to provide a fix at the system level rather than limiting at router interface.
Thanks
VJ
05-12-2005 11:14 AM
Before you draw the conclusion that it was the NMS workstation that sent a lot of ICMP requests, you may need to run a sniffer directly on it or check its ICMP protocol statistics to make sure it's not the case that other machine spoofed source IP and/or MAC addresses and were sending out those ICMP packets.
Just my two cents.
05-13-2005 06:13 AM
Hi,
Thats a nice direction. Could you pls eloborate how can the source ip be spoofed and start attack.
Rgds,
Vj
05-13-2005 07:05 AM
There are lots of security tools that are capable of doing this. For example, the hping tool with "-a" option.
If you want to craft ip packets in your own particular way and inject them into the network, there is a library called libnet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: