Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Drastic increase in inbound ICMP Flood upon installation of MARS

Hello all,

we are seeing an increase in inbound ICMP Flood traffic that closely correlates to when a MARS 20 server went live. The inbound ICMP traffic seems to match web sites that users are browsing to. Has anyone seen anything like this and/or has an explanation as to why this is happening? The inbound ICMP traffic was nowhere near the level it is now before the MARS server came up.

Thanks in advance! All replies rated

3 REPLIES
New Member

Re: Drastic increase in inbound ICMP Flood upon installation of

iirc mars will auto discover/probe your network, maybe that is causing the floods?

Gold

Re: Drastic increase in inbound ICMP Flood upon installation of

Can you be more specific about the type of ICMP messages? Is this an IDS alarm that is firing? CSMARS supports collecting messages using SNMP-trap (udp port 162) and syslog (udp port 514). These types of messages can come fast and furious. If a reporting devices is misconfigured and sending lots of message via either method on the wrong port, then the CSMARS will reply with lots of ICMP port unreachable (type=3/code=3). This can also happen if the reporting devices is sending the messages to the wrong host. The most likely culprit IME is Snare for Windows, which has a configurable port. I've seen it go completely bonkers and take down a switch.

Re: Drastic increase in inbound ICMP Flood upon installation of

Thanks for the replies. The traffic is being seen as inbound TCP SYN Host Sweeps originating from various IP addresses from te outside.

I do have to correct the statements that the ICMP traffic correlates to web pages browsed. That is not the case

Thanks!

371
Views
7
Helpful
3
Replies