That's
one of the first things I checked and that interface did have "no ip-directed
broadcast" set. At this point I've been simply filtering for that machine
because I haven't had time to address the issue further but if I come up with
anything else I'll let you know.
Eric
-----Original Message-----
From: Nicholas EK Ng [mailto:[EMAIL PROTECTED]
Sent: Monday, September 29, 2003 10:21 PM
To: Lewis, Eric; [EMAIL PROTECTED]
Subject: RE: [ISSForum] ICMP_Flood from echo replies
From: Nicholas EK Ng [mailto:[EMAIL PROTECTED]
Sent: Monday, September 29, 2003 10:21 PM
To: Lewis, Eric; [EMAIL PROTECTED]
Subject: RE: [ISSForum] ICMP_Flood from echo replies
Correct me if I am wrong. Probably you can check the router
interface, is "no ip-directed broadcast" / something like that configured?
If no, put a line to the router configuration to DROP all ip related
broadcast to the router interface.
Will
this be the reason???!! I am not sure. Please let me know if you find any
other solution for this.
Thanks,
Nicholas
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Lewis, Eric
Sent: Thursday, September 25, 2003 10:41 PM
To: [EMAIL PROTECTED]
Subject: [ISSForum] ICMP_Flood from echo repliesWe have a machine setup on our network to perform an NMAP ping sweep of all internal subnets to look for new, unauthorized machines on our network. Once it finds an IP that it hasn't seen in the last 14 days, or never seen, it performs a Nessus and ISS scan on that machine, then emails the results. Anyway, for some reason I am seeing an enormous amount of ICMP_Floods, all echo replies(Type 0), from one of our router interfaces. Although the ping sweep hits all kinds of other router interfaces throughout the building only one gives us trouble. Most, but not all, are with a source of 0.0.0.0 which I'm assuming is the usually problems/issue with coalesced source addresses seen in ISS.I really don't want to filter all ICMP traffic to this scanning machine so any ideas on why I would get ICMP_Floods, mainly with source 0.0.0.0, from one router interface?Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH
Network Security Officer
