Eric,
Is it possible
that machines behind the router have a different netmask than the router. If so,
the router might not recognize the broadcast address used and pass it
through.
When the sensor
sees a large number of similar events from many hosts in a short period of time,
it combines most (but not all) of them. For instance, in your example, I would
expect you to see some ICMP_Floods with normal IP addresses. The sensor allows
these through uncombined so you will have some examples of the original events.
You might pick one of the systems indicated in one of those events and verify
that the netmask and broadcast address match the settings you have on your
router. If they do not match, you will at least understand what is happening.
You would then have several options to resolve the problem.
By the way, the
sensor's event combining behavior is tunable. You can specify how many related
events should pass through uncombined. You can even disable combining
altogether, but this is not recommended.
Paul
-----Original Message-----
From: Lewis, Eric [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 30, 2003 8:57 AM
To: 'Nicholas EK Ng'; [EMAIL PROTECTED]
Subject: RE: [ISSForum] ICMP_Flood from echo repliesThat's one of the first things I checked and that interface did have "no ip-directed broadcast" set. At this point I've been simply filtering for that machine because I haven't had time to address the issue further but if I come up with anything else I'll let you know.Eric-----Original Message-----
From: Nicholas EK Ng [mailto:[EMAIL PROTECTED]
Sent: Monday, September 29, 2003 10:21 PM
To: Lewis, Eric; [EMAIL PROTECTED]
Subject: RE: [ISSForum] ICMP_Flood from echo repliesCorrect me if I am wrong. Probably you can check the router interface, is "no ip-directed broadcast" / something like that configured? If no, put a line to the router configuration to DROP all ip related broadcast to the router interface.Will this be the reason???!! I am not sure. Please let me know if you find any other solution for this.Thanks,Nicholas-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Lewis, Eric
Sent: Thursday, September 25, 2003 10:41 PM
To: [EMAIL PROTECTED]
Subject: [ISSForum] ICMP_Flood from echo repliesWe have a machine setup on our network to perform an NMAP ping sweep of all internal subnets to look for new, unauthorized machines on our network. Once it finds an IP that it hasn't seen in the last 14 days, or never seen, it performs a Nessus and ISS scan on that machine, then emails the results. Anyway, for some reason I am seeing an enormous amount of ICMP_Floods, all echo replies(Type 0), from one of our router interfaces. Although the ping sweep hits all kinds of other router interfaces throughout the building only one gives us trouble. Most, but not all, are with a source of 0.0.0.0 which I'm assuming is the usually problems/issue with coalesced source addresses seen in ISS.I really don't want to filter all ICMP traffic to this scanning machine so any ideas on why I would get ICMP_Floods, mainly with source 0.0.0.0, from one router interface?Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH
Network Security Officer
