Drastic increase in inbound ICMP Flood upon installation of MARS

travis-dennis_2 · ‎07-09-2007

Hello all,

we are seeing an increase in inbound ICMP Flood traffic that closely correlates to when a MARS 20 server went live. The inbound ICMP traffic seems to match web sites that users are browsing to. Has anyone seen anything like this and/or has an explanation as to why this is happening? The inbound ICMP traffic was nowhere near the level it is now before the MARS server came up.

Thanks in advance! All replies rated

wmblake755 · ‎07-10-2007

iirc mars will auto discover/probe your network, maybe that is causing the floods?

mhellman · ‎07-10-2007

Can you be more specific about the type of ICMP messages? Is this an IDS alarm that is firing? CSMARS supports collecting messages using SNMP-trap (udp port 162) and syslog (udp port 514). These types of messages can come fast and furious. If a reporting devices is misconfigured and sending lots of message via either method on the wrong port, then the CSMARS will reply with lots of ICMP port unreachable (type=3/code=3). This can also happen if the reporting devices is sending the messages to the wrong host. The most likely culprit IME is Snare for Windows, which has a configurable port. I've seen it go completely bonkers and take down a switch.

travis-dennis_2 · ‎07-10-2007

Thanks for the replies. The traffic is being seen as inbound TCP SYN Host Sweeps originating from various IP addresses from te outside.

I do have to correct the statements that the ICMP traffic correlates to web pages browsed. That is not the case

Thanks!