Re: Tracking down random ICMP

["Kyle Maxwell" <krmaxwell () gmail com>]

On 1/22/07, Craig Chamberlain <craig.chamberlain () q1labs com> wrote:
> Seem to be seeing more random bursts of ICMP traffic - sometimes
> unidirectional - with remote destinations that are mostly inexplicable.
> Wondering if it's a covert control channel of some sort - if so I can
> see why they chose ICMP - often allowed through firewalls and it is
> seems to be hard to determine the originating process in Windows.
>
> Is there a tool that can determine which process ID is generating ICMP
> packets or IRPs in Windows? TDImon seems to be TCP/UDP only. TCPview and
> netstat apparently can't do it.

How have you established the source system? Just through the IP
address (easily forged for ICMP traffic), or have you tracked it down
with MAC addresses and getting on the switch to verify?

ICMP doesn't open a socket like TCP does, so it might indeed be hard
to verify. One way (and there may be better ones) would be to start
with a process listing on the source system and work through process
of elimination. In general, ICMP bursts are frequently due to
misconfigured or broken equipment, but certainly not always.

--
Kyle Maxwell [krmaxwell () gmail com]
http://caffeinatedsecurity.com/blog/