Eric, I've thought about this a bit more, and I think that it is unlikely that the router is corrupting packets. If the router corrupted the type field of the icmp echo reply traffic, the checksum would be incorrect, and the sensor would ignore the traffic.
A more likely scenario is that a router, most likely the default gateway configured for the system initiating the scan, knows of a better route for the destination subnet. As such, the router will send an ICMP Redirect message to the initiator of the scan, potentially for each packet, to alert the system of the alternate route. If the scan causes the router to produce more than 100 redirect messages within a 1 second interval, it will meet the criteria for the ICMP_Flood signature. -----Original Message----- From: Langseth, Jacob (ISSAtlanta) Sent: Thursday, September 25, 2003 19:35 To: 'Lewis, Eric'; [EMAIL PROTECTED] Subject: RE: [ISSForum] ICMP_Flood from echo replies Eric, By your reference to the coalescer, I assume that you are running a v7.0 network sensor. In version 7.0, the ICMP_Flood signature will only trigger if > 100 non-echo-request and non-echo-reply icmp packets have targetted a single host within a 1 second interval. The ICMP_Flood signature should not trigger from a ping sweep, regardless of the amount of traffic involved. From the description of your problem, I would hazard the guess that the problematic router interface may be corrupting the icmp type field of the echo reply packets. This would certainly explain the behavior that you describe. If it is possible, please execute an nmap ping sweep such that the traffic passes through the problematic router interface, and make a packet capture of the icmp traffic involved. If you are able to provide a capture, send it to me and I will attempt to improve upon my diagnosis. If you are unable to disclose the capture, please take a look at the traffic using a tool such as ethereal, and filter out all packets which do not have an icmp type field of either 0 or 8 (icmp type 0 is an echo reply, icmp type 8 is an echo request). If the router is corrupting the icmp type field of the response packets, the corrupted packets should be visible in the filtered view of the capture. Hope this helps, Jacob -----Original Message----- From: Lewis, Eric [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 10:41 To: [EMAIL PROTECTED] Subject: [ISSForum] ICMP_Flood from echo replies We have a machine setup on our network to perform an NMAP ping sweep of all internal subnets to look for new, unauthorized machines on our network. Once it finds an IP that it hasn't seen in the last 14 days, or never seen, it performs a Nessus and ISS scan on that machine, then emails the results. Anyway, for some reason I am seeing an enormous amount of ICMP_Floods, all echo replies(Type 0), from one of our router interfaces. Although the ping sweep hits all kinds of other router interfaces throughout the building only one gives us trouble. Most, but not all, are with a source of 0.0.0.0 which I'm assuming is the usually problems/issue with coalesced source addresses seen in ISS. I really don't want to filter all ICMP traffic to this scanning machine so any ideas on why I would get ICMP_Floods, mainly with source 0.0.0.0, from one router interface? Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH Network Security Officer _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
