Security Incidents mailing list archives
Re: Tracking down random ICMP
From: "Kyle Maxwell" <krmaxwell () gmail com>
Date: Mon, 22 Jan 2007 21:50:20 -0600
On 1/22/07, Craig Chamberlain <craig.chamberlain () q1labs com> wrote:
Seem to be seeing more random bursts of ICMP traffic - sometimes unidirectional - with remote destinations that are mostly inexplicable. Wondering if it's a covert control channel of some sort - if so I can see why they chose ICMP - often allowed through firewalls and it is seems to be hard to determine the originating process in Windows. Is there a tool that can determine which process ID is generating ICMP packets or IRPs in Windows? TDImon seems to be TCP/UDP only. TCPview and netstat apparently can't do it.
How have you established the source system? Just through the IP address (easily forged for ICMP traffic), or have you tracked it down with MAC addresses and getting on the switch to verify? ICMP doesn't open a socket like TCP does, so it might indeed be hard to verify. One way (and there may be better ones) would be to start with a process listing on the source system and work through process of elimination. In general, ICMP bursts are frequently due to misconfigured or broken equipment, but certainly not always. -- Kyle Maxwell [krmaxwell () gmail com] http://caffeinatedsecurity.com/blog/
Current thread:
- Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)
- Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
- Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
- Attempted FTP intrusion David Gillett (Jan 31)
- Re: Attempted FTP intrusion Tillmann Werner (Jan 31)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)