[Snort-users] Normal Traffic???

Ju Kong Fui kongfui at ...3775...
Thu Oct 11 19:01:09 EDT 2001


checking the source of the Echo-requests would help to determine the
nature/intention of the ICMP traffic. If it's from multiple/lots of
different sources, it could be DDOS attempts.
 
you may also get some tools to traceback whether the source addr was
spoofed.

-----Original Message-----
From: Pesek Wolfgang (Mail) [mailto:WPesek at ...3042...]
Sent: Friday, 12 October, 2001 03:03 AM
To: 'Muscat, Tyrone J.'; 'snort-users at lists.sourceforge.net'
Subject: AW: [Snort-users] Normal Traffic???


This looks like some host inside your network is sending large ICMP Packets
! 
Obviously this is due to the fact that someone from the outside is pinging
your IP with a simple ping but a no so fine option - in that case to tell
ping how much bytes of data shall be sent with the ECHO-REQUEST. Normally
this is executed with only 8-26 bytes,
(if i remember correctly from the great document from Ofir Arkin "ICMP-Usage
Scanning" thanks for this masterpiece, by the way. I saw you around this
list already :-) ).
 
This can lead to a DoS, so i´d rather block ICMP-Traffic on your firewall
for a time.
 
----Ursprüngliche Nachricht-----
Von: Muscat, Tyrone J. [mailto:MUSCATTJ at ...3501...]
Gesendet: Donnerstag, 11. Oktober 2001 20:10
An: 'snort-users at lists.sourceforge.net'
Betreff: [Snort-users] Normal Traffic???



This traffic is coming from my internal network out through my firewall....
is this normal or should I be worried.... 


[**] IDS246/dos_dos-large-icmp [**] 
10/11-13:59:15.554696 0:3:47:B:F0:50 -> 0:2:FD:1E:25:ED type:0x800 len:0x5EA

xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx ICMP TTL:126 TOS:0x0 ID:12980 IpLen:20
DgmLen:1500 DF 
Type:0  Code:0  ID:1080  Seq:61662  ECHO REPLY 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
. 
. 
. 
. 
. 

Ty Muscat 
Watt Regulator
815 Chestnut Street
North Andover, MA 01845 
Phone: 978-689-6036
Fax: 978-689-6115 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011011/5a4c0525/attachment.html>


More information about the Snort-users mailing list