Security Incidents mailing list archives

Huge outgoing ICMP flows

From: Vangelis Haniotakis <haniotak () ucnet uoc gr>
Date: Wed, 13 Jun 2001 18:56:10 +0300 (EET DST)

 Hi.

 Over the last few days, our outgoing traffic has increased tremendously.
On examination of our Netflow logs, a couple of our hosts seem to be
transmitting big amounts of data with source and destination port 0 to a
small number of external hosts.

 Is this a DOS attack originating from our hosts? Is there a legitimate
reason for flows looking like this:

src IP|dst IP|src port|dst port|prot|pkt count|flow sz|strt timestmp|end ts
147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|6575|6637824|992379494|988086327
147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|5735|6088716|992379508|992381308

 The protocol field is actually Cisco Netflow Collector's guess of the
protocol, not an indication of actual packet format. I'm not sure whether
these are indeed huge ICMP packets or something else, like data transfers.
Some of these flows are tens of MBs in size.

 Any assistance or recommendations would be very much appreciated indeed.

 Thank you very much for your time in advance.

--
Vangelis Haniotakis - Network & Communications Centre, University of Crete

Current thread:

Huge outgoing ICMP flows Vangelis Haniotakis (Jun 13)
- Re: Huge outgoing ICMP flows Trevor (Jun 13)
- Re: Huge outgoing ICMP flows Chris Ess (Jun 14)
  - Re: Huge outgoing ICMP flows Bryan Andersen (Jun 15)
    - Re: Huge outgoing ICMP flows Kurt Seifried (Jun 17)
    - 2300 FTP accesses from Korea Gregory McCann (Jun 18)
    - Re: 2300 FTP accesses from Korea ecofsky (Jun 18)
    - Re: 2300 FTP accesses from Korea Derek Kwan (Jun 18)
    - Re: 2300 FTP accesses from Korea Russell Fulton (Jun 18)
    - Re: 2300 FTP accesses from Korea Dug Song (Jun 18)
  - Re: Huge outgoing ICMP flows Gary Maltzen (Jun 19)

(Thread continues...)