Security Incidents mailing list archives
Huge outgoing ICMP flows
From: Vangelis Haniotakis <haniotak () ucnet uoc gr>
Date: Wed, 13 Jun 2001 18:56:10 +0300 (EET DST)
Hi. Over the last few days, our outgoing traffic has increased tremendously. On examination of our Netflow logs, a couple of our hosts seem to be transmitting big amounts of data with source and destination port 0 to a small number of external hosts. Is this a DOS attack originating from our hosts? Is there a legitimate reason for flows looking like this: src IP|dst IP|src port|dst port|prot|pkt count|flow sz|strt timestmp|end ts 147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|6575|6637824|992379494|988086327 147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|5735|6088716|992379508|992381308 The protocol field is actually Cisco Netflow Collector's guess of the protocol, not an indication of actual packet format. I'm not sure whether these are indeed huge ICMP packets or something else, like data transfers. Some of these flows are tens of MBs in size. Any assistance or recommendations would be very much appreciated indeed. Thank you very much for your time in advance. -- Vangelis Haniotakis - Network & Communications Centre, University of Crete
Current thread:
- Huge outgoing ICMP flows Vangelis Haniotakis (Jun 13)
- Re: Huge outgoing ICMP flows Trevor (Jun 13)
- Re: Huge outgoing ICMP flows Chris Ess (Jun 14)
- Re: Huge outgoing ICMP flows Bryan Andersen (Jun 15)
- Re: Huge outgoing ICMP flows Kurt Seifried (Jun 17)
- 2300 FTP accesses from Korea Gregory McCann (Jun 18)
- Re: 2300 FTP accesses from Korea ecofsky (Jun 18)
- Re: 2300 FTP accesses from Korea Derek Kwan (Jun 18)
- Re: 2300 FTP accesses from Korea Russell Fulton (Jun 18)
- Re: 2300 FTP accesses from Korea Dug Song (Jun 18)
- Re: Huge outgoing ICMP flows Bryan Andersen (Jun 15)
- Re: Huge outgoing ICMP flows Gary Maltzen (Jun 19)