Security Incidents mailing list archives
Tracking down random ICMP
From: "Craig Chamberlain" <craig.chamberlain () Q1Labs com>
Date: Mon, 22 Jan 2007 09:19:31 -0400
Seem to be seeing more random bursts of ICMP traffic - sometimes unidirectional - with remote destinations that are mostly inexplicable. Wondering if it's a covert control channel of some sort - if so I can see why they chose ICMP - often allowed through firewalls and it is seems to be hard to determine the originating process in Windows. Is there a tool that can determine which process ID is generating ICMP packets or IRPs in Windows? TDImon seems to be TCP/UDP only. TCPview and netstat apparently can't do it. TIA - Craig
Current thread:
- Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)
- Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
- Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
- Attempted FTP intrusion David Gillett (Jan 31)
- Re: Attempted FTP intrusion Tillmann Werner (Jan 31)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)