Bugtraq mailing list archives

Re: Checkpoint NG3 ICMP Flood

From: Michael Schwartzkopff <misch () multinet de>
Date: Mon, 18 Dec 2006 20:01:29 +0100

Am Montag, 18. Dezember 2006 12:14 schrieb bdmoraes () bol com br:

Dear All,

I have one checkpoint NG3 in my company and verifying in Tracking i have
tousands of events with ICMP type 8 and type 17.

The events has origin in my internal networks, with one problem .. the
Source IP is my PAT address for internal hosts to internet.

Is there any bug of Checkpoint? Anyone already seen this event?

I will go verify with sniffers and other tools, but this IP (Only for PAT)
is no routeable in my internal networks...

Thanks for attention.
Poison


hi,

perhaps related to:
http://www.incidents.org/diary.php?storyid=1949&isc=ae18b977be6828a8c9bf904d72cc5630

Sniffer: depends on what platform you use:
- Solaris: snoop
- everything else: tcpdump

Reading out the MAC adresses of there packets should give a clue in the 
direction where to search further.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42

Attachment: _bin
Description:

Current thread:

Checkpoint NG3 ICMP Flood bdmoraes (Dec 18)
- Re: Checkpoint NG3 ICMP Flood Michael Schwartzkopff (Dec 18)
- Re: Checkpoint NG3 ICMP Flood Hugo van der Kooij (Dec 18)