Re: ICMP flood - how to cure?
From: karl [x y] (jamescagney90210@excite.com)Date: 08/01/02
- Next message: Duane Arnold: "Re: What to use, what to use?"
- Previous message: CrAsH DuMmY: "Re: Blocking Kazza"
- In reply to: : "ICMP flood - how to cure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl [x y]" <jamescagney90210@excite.com> Date: Thu, 1 Aug 2002 08:40:37 -0400
"aptrsn" <busn66@hotmail.com> wrote in message
news:UkW19.10754$Ru5.5898@rwcrnsc52.ops.asp.att.net...
> Greetings,
>
> Recently I was reviewing our firewall logs when I came
> across a huge number of ICMP packets marked destination unreachable and
port
> unreachable. I tracked it down to a Windows NT workstation and confirmed
it
> as the offender by removing it from the network. The machine is running
> Innoculate and has the most recent update as far as signature file and
after
> running a full scan it came up clean. However, after reattaching the
machine
> to the network it began to send out the ICMP packets again. The only thing
I
> can figure is that recently, AIM was installed on the PC and that there is
> some kind of spy ware that is trying to attach to an unspecified AOL
server.
> Is there a way to track down an application that is sending the ICMP
> packets?
Installing Sygate Personal Firewall temporarily would tell you what is
originating those ICMP packets.
This is not as good, but if you don't like that option, installing Network
Monitor [included with Windows] from Control Panel, Network [I think] would
let you see the flow of network traffic to and from that machine and details
about the contents of the packets, though you'd have to guess what was
sending the information out. Installing a sniffer like Ethereal or Windump
would do the same thing.
ICMP packets can theoretically be a sign of an ICMP hacker tunnelling tool
such as Loki. If you look at the packet captures from any of the sniffers
above, this can help you confirm that this is not what is happening. How to
tell real ICMP traffic from ICMP tunnelled traffic is described somewhat in
the book Incident Response. Using a good IDS such as Snort might help
determine this as well. I'm guessing this is probably not what is happening
but thought I'd mention it just in case. Hopefully you are blocking ICMP at
the firewall, for this reason.
Another poster recommended Tripwire. The only good free Windows file change
monitor I know of [if price is important to you] is Languard file integrity
checker from www.gfi.com Possibly it isn't as secure as Tripwire, but it
is free and better than nothing, I recommend it. You could search your
system for files that have changed in the past 1 to 3 days, that is also
better than nothing.
Using Fport from foundstone.com would not help you track down the ICMP, but
might help you confirm or deny whether there has been an intrusion on the
machine.
- Next message: Duane Arnold: "Re: What to use, what to use?"
- Previous message: CrAsH DuMmY: "Re: Blocking Kazza"
- In reply to: : "ICMP flood - how to cure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
