> Hi. > > Over the last few days, our outgoing traffic has increased tremendously. > On examination of our Netflow logs, a couple of our hosts seem to be > transmitting big amounts of data with source and destination port 0 to a > small number of external hosts. > ICMP doesn't use ports. It instead uses types and codes. I've lost my copy of the URL for iana's documents. Would someone be kind enough to post that? But type=0, code=0 (or is it the other way round?) is a ping. If I'm interpreting your table correctly, there are 6,575 pings registered from one host and 5,735 from another. So, yes, it is possible that these machines are being used for an ICMP ping DoS (AKA smurf attack). I would check to make sure that this is only coming from a few hosts rather than from all of them. If you're getting ping traffic like that originating from all hosts on your subnet, you are (probably) being used for a DoS attack and you should configure your router to block external broadcast packets. (I'm told it's easy, but I'm not very familiar with router hardware/software.) > src IP|dst IP|src port|dst port|prot|pkt count|flow sz|strt timestmp|end ts > 147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|6575|6637824|992379494|988086327 > 147.52.xxx.xxx|xxx.xxx.xxx.xxx|0|0|ICMP|5735|6088716|992379508|992381308 This is my cursory examination of things. Hopefully someone else can provide something more in depth. --CAE Kujikenaikara! Sub caelo noctis sto quod stellae mihi spem dant.
This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 10:04:10 PDT