Security Incidents mailing list archives

Re: IDS246 Large ICMP Packet

From: "Bevan, Graham" <gbevan () CSC COM>
Date: Fri, 17 Nov 2000 09:42:19 +0000

Andre,
     The DF flag indicates it might be Path MTU Discovery.  What is the
length of packets?  If it is the same size as the largest MTU size that can
traverse from 32.96.212.11 to 200.210.111.132 without fragmentation, then
again this suggests PMTU.  Not sure about the ID and SEQ staying the
same...

     I think this is good argument to add a IF DF=0 rule to IDS246?  What
do others think?

Regards,
     G.L. Bevan.

[**] IDS246 - MISC - Large ICMP Packet [**]
11/13-12:53:37.296852 32.96.212.11 -> 200.210.111.132
ICMP TTL:247 TOS:0x0 ID:10257  DF
ID:48282   Seq:61662  ECHO

There are over 62 of these alerts in a week's logfile, all of them
with the same ID and Seq (not to mention they are all from the same
origin, 32.96.212.11).

Current thread:

IDS246 Large ICMP Packet Andre Kajita - Administrador da Rede (Nov 17)
- Re: IDS246 Large ICMP Packet Jan Muenther (Nov 18)
- Re: IDS246 Large ICMP Packet Valdis Kletnieks (Nov 18)
- <Possible follow-ups>
- Re: IDS246 Large ICMP Packet Bevan, Graham (Nov 18)