We have a machine
setup on our network to perform an NMAP ping sweep of all internal subnets to
look for new, unauthorized machines on our network. Once it finds an IP that it
hasn't seen in the last 14 days, or never seen, it performs a Nessus and ISS
scan on that machine, then emails the results. Anyway, for some reason I am
seeing an enormous amount of ICMP_Floods, all echo replies(Type 0), from one of
our router interfaces. Although the ping sweep hits all kinds of other router
interfaces throughout the building only one gives us trouble. Most, but not all,
are with a source of 0.0.0.0 which I'm assuming is the usually problems/issue
with coalesced source addresses seen in ISS.
I really don't want
to filter all ICMP traffic to this scanning machine so any ideas on why I would
get ICMP_Floods, mainly with source 0.0.0.0, from one router
interface?
Eric S. Lewis, CCNA, MCSE,
NSA IAM, CCSA, CISSP, CEH
Network Security Officer
