Security Basics mailing list archives
RE: ICMP/UDP flood
From: "VonGrebe, Chris" <cvongrebe () Intrado com>
Date: Fri, 7 May 2004 12:18:30 -0600
Bill, The UDP destination port is 53, the DNS port. These look like normal DNS operation to me, your firewall is probably your internal DNS server, and when it can't resolve an address it then queries the upstream DNS server for resolution. -----Original Message----- From: Bill Burgos [mailto:wjburgos () white-bear-productions com] Sent: Wednesday, May 05, 2004 7:59 PM To: security-basics () securityfocus com Subject: ICMP/UDP flood Greetings Security Focus, I recently have been receiving log messages from my router with the following message: 2004-05-02 00:40:03 - ICMP Flood - Source:192.168.X.XX ,0,LAN - Destination:2XX.2XX.XX.X,0,WAN also: 2004-05-06 10:25:27 - UDP Flood - Source:192.168.X.XX ,45544,LAN - Destination:2XX.2XX.XX.X,53,WAN The Source is coming from my firewall box (192.168.X.XX) and the Destination is a DNS server on the Internet (2XX.2XX.XX.X). I have grepped the logs from internal machines and the firewall for the DNS server address with no results. My setup: Internet | Router | --------------- | | Firewall DMZ server (web server) | LAN The Router is a Planex, the firewall is a PC running RedHat 7.2, the DMZ is Debian. The other LAN machines are a combo of Linux and one Windows machine, all behind the firewall. The messages started while I was out of the house and the Windows machine was offline. My questions are: Should I be worried about this? If the flood is coming from the firewall, is it compromised? can I verify it in a log? Any ideas would be a great help. Thanks in advance Bill ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- ICMP/UDP flood Bill Burgos (May 06)
- <Possible follow-ups>
- RE: ICMP/UDP flood VonGrebe, Chris (May 07)