Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
2
Replies

ICMP Flooding

jstevensen
Level 1
Level 1

‎08-04-2006 10:09 PM - edited ‎03-10-2019 03:09 AM

I have a 2611xm with IOS/FW 12.4

After enabling IPS, I get the following when I show ip inspect sessions

Session 83E4AD08 (192.168.5.101:8)=>(192.168.240.251:0) icmp SIS_OPEN

Session 83C84EAC (192.168.5.101:8)=>(192.168.240.170:0) icmp SIS_OPEN

Session 83E4C2C8 (192.168.5.101:8)=>(192.168.240.217:0) icmp SIS_OPEN

Session 83E460E8 (192.168.5.101:8)=>(192.168.240.214:0) icmp SIS_OPEN

Session 83E41A38 (192.168.5.101:8)=>(192.168.240.186:0) icmp SIS_OPEN

Session 83E4DB40 (192.168.5.101:8)=>(192.168.241.26:0) icmp SIS_OPEN

Session 83C8E6EC (192.168.5.101:8)=>(192.168.240.155:0) icmp SIS_OPEN

Session 83C86724 (192.168.5.101:8)=>(192.168.240.153:0) icmp SIS_OPEN

Session 83E50C30 (192.168.5.101:8)=>(192.168.240.250:0) icmp SIS_OPEN

Session 83E41780 (192.168.5.101:8)=>(192.168.240.175:0) icmp SIS_OPEN

Session 83C8DC0C (192.168.5.101:8)=>(192.168.240.171:0) icmp SIS_OPEN

Session 83C8E9A4 (192.168.5.101:8)=>(192.168.240.191:0) icmp SIS_OPEN

Session 83E45608 (192.168.5.101:8)=>(192.168.240.187:0) icmp SIS_OPEN

Session 83E47138 (192.168.5.101:8)=>(192.168.241.31:0) icmp SIS_OPEN

Session 83E5FD68 (192.168.5.101:8)=>(192.168.240.164:0) icmp SIS_OPEN

Session 83C81024 (192.168.5.101:8)=>(192.168.241.79:0) icmp SIS_OPEN

Session 83E56528 (192.168.5.101:8)=>(192.168.241.69:0) icmp SIS_OPEN

Session 83E42A88 (192.168.5.101:8)=>(192.168.240.239:0) icmp SIS_OPEN

Session 83C8AB1C (192.168.5.101:8)=>(192.168.240.196:0) icmp SIS_OPEN

Session 83C84BF4 (192.168.5.101:8)=>(192.168.240.192:0) icmp SIS_OPEN

Session 83E5DF80 (192.168.5.101:8)=>(192.168.240.149:0) icmp SIS_OPEN

Session 83E5BEE0 (192.168.5.101:8)=>(192.168.240.139:0) icmp SIS_OPEN

Session 83C88254 (192.168.5.101:8)=>(192.168.240.181:0) icmp SIS_OPEN

Session 83C8DEC4 (192.168.254.161:138)=>(192.168.5.11:138) udp SIS_OPEN

Session 83C8B08C (192.168.5.101:8)=>(192.168.240.213:0) icmp SIS_OPEN

Session 83E4A798 (192.168.5.101:8)=>(192.168.240.209:0) icmp SIS_OPEN

My question is this: Why is it being allowed, and logged, but not prevented?

This machine obviously has a worm on it - but I'd like to at least be able to have the IPS block it till we can get to the machine.

Labels:
0 Helpful
2 Replies 2

Fernando_Meza
Level 7
Level 7

‎08-05-2006 01:22 PM

Hi .. check the signatures that relate to icmp floods they might be configured to alert and log only by default ..

I hope it helps .. please rate if it does !!!

0 Helpful

jstevensen
Level 1
Level 1
In response to Fernando_Meza

‎08-07-2006 03:13 AM

What do I check for specifically? I read on Cisco.com that you cant configure with the CLI:

Quote:

Action Configuration via CLI No Longer Supported

Cisco IOS IPS actions (such as resetting the TCP connection) can no longer be configured via CLI. If you are using the attack-drop.sdf signature file, the signatures are preset with actions to mitigate the attack by dropping the packet and resetting the connection, if applicable. If you are using VMS or SDM to deploy signatures to the router, you will need to tune the signatures to use the desired actions before the deployment.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card