RE: [ISSForum] ICMP_Flood from echo replies

Tue, 30 Sep 2003 21:29:23 -0700

Correct me if I am wrong. Probably you can check the router interface, is "no ip-directed broadcast" / something like that configured? If no, put a line to the router configuration to DROP all ip related broadcast to the router interface.
 
Will this be the reason???!! I am not sure. Please let me know if you find any other solution for this.
 
 
Thanks,
 
Nicholas
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Lewis, Eric
Sent: Thursday, September 25, 2003 10:41 PM
To: [EMAIL PROTECTED]
Subject: [ISSForum] ICMP_Flood from echo replies

We have a machine setup on our network to perform an NMAP ping sweep of all internal subnets to look for new, unauthorized machines on our network. Once it finds an IP that it hasn't seen in the last 14 days, or never seen, it performs a Nessus and ISS scan on that machine, then emails the results. Anyway, for some reason I am seeing an enormous amount of ICMP_Floods, all echo replies(Type 0), from one of our router interfaces. Although the ping sweep hits all kinds of other router interfaces throughout the building only one gives us trouble. Most, but not all, are with a source of 0.0.0.0 which I'm assuming is the usually problems/issue with coalesced source addresses seen in ISS.
 
I really don't want to filter all ICMP traffic to this scanning machine so any ideas on why I would get ICMP_Floods, mainly with source 0.0.0.0, from one router interface?

Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH 
Network Security Officer 

___________________________________________________________________________________________________________________________________________________________________

This mail is protected by Silicon Communications S/B

The information contained in this message maybe confidential and protected from 
disclosure. If you are not the intended recipient of this message,  please delete this 
message immediately. You are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited.  


~~~This email has been scanned by our anti-virus system. For precaution, please make 
sure you scan every attachment in this email. Please use at your own risk. Thank you. 
:) Mailadmin~~~ 
___________________________________________________________________________________________________________________________________________________________________

Reply via email to