Drastic increase in inbound ICMP Flood upon installation of MARS
we are seeing an increase in inbound ICMP Flood traffic that closely correlates to when a MARS 20 server went live. The inbound ICMP traffic seems to match web sites that users are browsing to. Has anyone seen anything like this and/or has an explanation as to why this is happening? The inbound ICMP traffic was nowhere near the level it is now before the MARS server came up.
Re: Drastic increase in inbound ICMP Flood upon installation of
Can you be more specific about the type of ICMP messages? Is this an IDS alarm that is firing? CSMARS supports collecting messages using SNMP-trap (udp port 162) and syslog (udp port 514). These types of messages can come fast and furious. If a reporting devices is misconfigured and sending lots of message via either method on the wrong port, then the CSMARS will reply with lots of ICMP port unreachable (type=3/code=3). This can also happen if the reporting devices is sending the messages to the wrong host. The most likely culprit IME is Snare for Windows, which has a configurable port. I've seen it go completely bonkers and take down a switch.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...