Chris Ess wrote: > > > Hi. > > > > Over the last few days, our outgoing traffic has increased tremendously. > > On examination of our Netflow logs, a couple of our hosts seem to be > > transmitting big amounts of data with source and destination port 0 to a > > small number of external hosts. > ICMP doesn't use ports. It instead uses types and codes. I've lost my > copy of the URL for iana's documents. Would someone be kind enough to > post that? http://www.iana.org/numbers.html Great refference link to keep around. > But type=0, code=0 (or is it the other way round?) is a ping. If I'm > interpreting your table correctly, there are 6,575 pings registered from > one host and 5,735 from another. So, yes, it is possible that these > machines are being used for an ICMP ping DoS (AKA smurf attack). > > I would check to make sure that this is only coming from a few hosts > rather than from all of them. If you're getting ping traffic like that > originating from all hosts on your subnet, you are (probably) being used > for a DoS attack and you should configure your router to block external > broadcast packets. Ooo, forgot about broadcast addresses. I've had my broadcast addresses blocked for solong I'd forgotten about them. -- | Bryan Andersen | bryanat_private | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 16:00:27 PDT