Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

large ICMP echo-request traffic to single dest address

recently i have seen a debug output from cisco PIX 525 (IOS 6.3) of very large traffic with an ICMP echo-request to a single dest address sourced from some addresses from the same subnet.

-source addresses are from the same subnet of 10.x.1.0/24(some solaris machines on one of the PIX interface) and dest address is 0.0.0.5

-debug command used on PIX: debug icmp trace

-sample output line: ICMP echo-request from (PIX intf name):10.x.1.x to 0.0.0.5

what could be the reason for this traffic?

3 REPLIES

Re: large ICMP echo-request traffic to single dest address

Hello mulugetash,

Is there any issue due to this ? I mean CPU spike etc ?? This might be some DDOS attack or nachi worm which generates huge ICMP traffic. Can you isolate the PC and see the result ? Are there any IPS on your network, which can pick up the name of the vulnerability etc ?

Raj

New Member

Re: large ICMP echo-request traffic to single dest address

hi sachinraja,

actually no issue(problem) on the PIX, but the solaris machines are in a cluster and they are too slow.

as to the IPS, there is Mcafee HIPS and i may check it.

any other comments?

Re: large ICMP echo-request traffic to single dest address

Hello mate,

Great. the solaris machines anyway are on the LAN, for clustering. so, no issues of the packets that show on the PIX logs. the PIX will anyway not allow the packets to flow through it. so no worries. just make sure if you can see these logs on the HIPS, and make sure to block them before it hits the pix, and saves some CPU cycles for the firewall.

Raj

388
Views
0
Helpful
3
Replies