Eric,
By
your reference to the coalescer, I assume that you are running a v7.0
network sensor.
In
version 7.0, the ICMP_Flood signature will only trigger if > 100
non-echo-request
and
non-echo-reply icmp packets have targetted a single host within a 1
second
interval. The ICMP_Flood signature should not trigger from
a ping sweep, regardless
of the
amount of traffic involved.
From the description of your problem, I would hazard the guess that
the problematic
router
interface may be corrupting the icmp type field of the echo reply
packets.
This
would certainly explain the behavior that you describe.
If it
is possible, please execute an nmap ping sweep such that the traffic
passes
through the problematic router interface, and make a packet capture of
the icmp
traffic involved.
If you
are able to provide a capture, send it to me and I will attempt to improve
upon
my
diagnosis. If you are unable to disclose the capture, please take a
look at the
traffic using a tool such as ethereal, and filter out all packets which
do not have an
icmp
type field of either 0 or 8 (icmp type 0 is an echo reply, icmp type 8 is an
echo
request). If the router is corrupting the icmp type field of the
response packets, the
corrupted packets should be visible in the filtered view of the capture.
corrupted packets should be visible in the filtered view of the capture.
Hope
this helps,
Jacob
-----Original Message-----
From: Lewis, Eric [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 10:41
To: [EMAIL PROTECTED]
Subject: [ISSForum] ICMP_Flood from echo repliesWe have a machine setup on our network to perform an NMAP ping sweep of all internal subnets to look for new, unauthorized machines on our network. Once it finds an IP that it hasn't seen in the last 14 days, or never seen, it performs a Nessus and ISS scan on that machine, then emails the results. Anyway, for some reason I am seeing an enormous amount of ICMP_Floods, all echo replies(Type 0), from one of our router interfaces. Although the ping sweep hits all kinds of other router interfaces throughout the building only one gives us trouble. Most, but not all, are with a source of 0.0.0.0 which I'm assuming is the usually problems/issue with coalesced source addresses seen in ISS.I really don't want to filter all ICMP traffic to this scanning machine so any ideas on why I would get ICMP_Floods, mainly with source 0.0.0.0, from one router interface?Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH
Network Security Officer
