Re: Huge outgoing ICMP flows

[Bryan Andersen <bryan () visi com>]

Chris Ess wrote:
> >  Hi.
> >
> >  Over the last few days, our outgoing traffic has increased tremendously.
> > On examination of our Netflow logs, a couple of our hosts seem to be
> > transmitting big amounts of data with source and destination port 0 to a
> > small number of external hosts.

> ICMP doesn't use ports.  It instead uses types and codes.  I've lost my
> copy of the URL for iana's documents.  Would someone be kind enough to
> post that?

http://www.iana.org/numbers.html  Great refference link to
keep around.

> But type=0, code=0 (or is it the other way round?) is a ping.  If I'm
> interpreting your table correctly, there are 6,575 pings registered from
> one host and 5,735 from another.  So, yes, it is possible that these
> machines are being used for an ICMP ping DoS (AKA smurf attack).
>
> I would check to make sure that this is only coming from a few hosts
> rather than from all of them.  If you're getting ping traffic like that
> originating from all hosts on your subnet, you are (probably) being used
> for a DoS attack and you should configure your router to block external
> broadcast packets.

Ooo, forgot about broadcast addresses.  I've had my broadcast 
addresses blocked for solong I'd forgotten about them.

-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |