|
Incidents
Tracking down random ICMP Jan 22 2007 01:19PM Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies) Re: Tracking down random ICMP Jan 23 2007 03:32PM Valdis Kletnieks vt edu (2 replies) Re: Tracking down random ICMP Jan 25 2007 12:13PM Javier Fernández-Sanguino (jfernandez germinus com) (1 replies) Re: Tracking down random ICMP Jan 25 2007 05:20PM Valdis Kletnieks vt edu (2 replies) DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM David Gillett (gillettdavid fhda edu) (1 replies) Re: Tracking down random ICMP Jan 23 2007 09:37PM Jose Nazario (jose monkey org) (1 replies) |
|
|
Privacy Statement |
>
> Seem to be seeing more random bursts of ICMP traffic - sometimes
> unidirectional - with remote destinations that are mostly inexplicable.
> Wondering if it's a covert control channel of some sort - if so I can
> see why they chose ICMP - often allowed through firewalls and it is
> seems to be hard to determine the originating process in Windows.
>
> Is there a tool that can determine which process ID is generating ICMP
> packets or IRPs in Windows? TDImon seems to be TCP/UDP only. TCPview and
> netstat apparently can't do it.
How have you established the source system? Just through the IP
address (easily forged for ICMP traffic), or have you tracked it down
with MAC addresses and getting on the switch to verify?
ICMP doesn't open a socket like TCP does, so it might indeed be hard
to verify. One way (and there may be better ones) would be to start
with a process listing on the source system and work through process
of elimination. In general, ICMP bursts are frequently due to
misconfigured or broken equipment, but certainly not always.
--
Kyle Maxwell [krmaxwell (at) gmail (dot) com [email concealed]]
http://caffeinatedsecurity.com/blog/
[ reply ]