Snort mailing list archives

Previous By Date Next
Previous By Thread Next

dos-large-icmp - FYI

From: "Sid" <s_i_d_j () yahoo com>
Date: Wed, 9 May 2001 20:31:10 +0530
Hi,

I got a lot of dos-large-icmp alerts. On investigation, it turned out to be
communication between an akamai server and a media server. Here is a sample
packet :-
---------------------------------------------------------
[**] IDS246/dos-large-icmp [**]
04/25-01:30:46.470046 mediaserver -> akamai-server
ICMP TTL:45 TOS:0x0 ID:56994 IpLen:20 DgmLen:1500
Type:0  Code:0  ID:39205  Seq:55774  ECHO REPLY
...:............................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
----------------------------------------------------------------------------
---------------

Although this traffic doesn't seem to be malicious, but what i don't
undestand is why do these servers need to talk icmp so much? The packets are
approx. at an interval of every 6 seconds. The ip on the other side is
62.54.15.148 ( mnch-3e360f94.pool.mediaWays.net )



Siddhartha


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: