large ICMP echo-request traffic to single dest address

Unanswered Question
Feb 19th, 2007

recently i have seen a debug output from cisco PIX 525 (IOS 6.3) of very large traffic with an ICMP echo-request to a single dest address sourced from some addresses from the same subnet.

-source addresses are from the same subnet of 10.x.1.0/24(some solaris machines on one of the PIX interface) and dest address is 0.0.0.5

-debug command used on PIX: debug icmp trace

-sample output line: ICMP echo-request from (PIX intf name):10.x.1.x to 0.0.0.5

what could be the reason for this traffic?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Mon, 02/19/2007 - 17:40

Hello mulugetash,

Is there any issue due to this ? I mean CPU spike etc ?? This might be some DDOS attack or nachi worm which generates huge ICMP traffic. Can you isolate the PC and see the result ? Are there any IPS on your network, which can pick up the name of the vulnerability etc ?

Raj

mulugetash Mon, 02/19/2007 - 19:17

hi sachinraja,

actually no issue(problem) on the PIX, but the solaris machines are in a cluster and they are too slow.

as to the IPS, there is Mcafee HIPS and i may check it.

any other comments?

sachinraja Mon, 02/19/2007 - 19:22

Hello mate,

Great. the solaris machines anyway are on the LAN, for clustering. so, no issues of the packets that show on the PIX logs. the PIX will anyway not allow the packets to flow through it. so no worries. just make sure if you can see these logs on the HIPS, and make sure to block them before it hits the pix, and saves some CPU cycles for the firewall.

Raj

Actions

This Discussion