[Snort-users] dos-large-icmp - FYI

Sid s_i_d_j at ...131...
Wed May 9 11:01:10 EDT 2001


Hi,

I got a lot of dos-large-icmp alerts. On investigation, it turned out to be
communication between an akamai server and a media server. Here is a sample
packet :-
---------------------------------------------------------
[**] IDS246/dos-large-icmp [**]
04/25-01:30:46.470046 mediaserver -> akamai-server
ICMP TTL:45 TOS:0x0 ID:56994 IpLen:20 DgmLen:1500
Type:0  Code:0  ID:39205  Seq:55774  ECHO REPLY
...:............................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
................................................................
................................ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
................................................................
----------------------------------------------------------------------------
---------------

Although this traffic doesn't seem to be malicious, but what i don't
undestand is why do these servers need to talk icmp so much? The packets are
approx. at an interval of every 6 seconds. The ip on the other side is
62.54.15.148 ( mnch-3e360f94.pool.mediaWays.net )



Siddhartha


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list