Huge outgoing ICMP flows

• Previous message: Milliken, Larry: "RE: Question about port scans"
• Next in thread: Trevor: "Re: Huge outgoing ICMP flows"
• Reply: Trevor: "Re: Huge outgoing ICMP flows"
• Reply: Chris Ess: "Re: Huge outgoing ICMP flows"
• Reply: Soeren Ziehe: "Re: Huge outgoing ICMP flows"
• Reply: Robert G. Ferrell: "Re: Huge outgoing ICMP flows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Hi.

 Over the last few days, our outgoing traffic has increased tremendously.
On examination of our Netflow logs, a couple of our hosts seem to be
transmitting big amounts of data with source and destination port 0 to a
small number of external hosts.

 Is this a DOS attack originating from our hosts? Is there a legitimate
reason for flows looking like this:

src IP|dst IP|src port|dst port|prot|pkt count|flow sz|strt timestmp|end ts
147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|6575|6637824|992379494|988086327
147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|5735|6088716|992379508|992381308

 The protocol field is actually Cisco Netflow Collector's guess of the
protocol, not an indication of actual packet format. I'm not sure whether
these are indeed huge ICMP packets or something else, like data transfers.
Some of these flows are tens of MBs in size.

 Any assistance or recommendations would be very much appreciated indeed.

 Thank you very much for your time in advance.

--
Vangelis Haniotakis - Network & Communications Centre, University of Crete

• Next message: Jose Nazario: "new iis worm: seeking signature"
• Previous message: Milliken, Larry: "RE: Question about port scans"
• Next in thread: Trevor: "Re: Huge outgoing ICMP flows"
• Reply: Trevor: "Re: Huge outgoing ICMP flows"
• Reply: Chris Ess: "Re: Huge outgoing ICMP flows"
• Reply: Soeren Ziehe: "Re: Huge outgoing ICMP flows"
• Reply: Robert G. Ferrell: "Re: Huge outgoing ICMP flows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 09:21:23 PDT