Incidents
Tracking down random ICMP Jan 22 2007 01:19PM
Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies)
Re: Tracking down random ICMP Feb 02 2007 11:25PM
Frank Knobbe (frank knobbe us)
Re: Tracking down random ICMP Jan 23 2007 03:32PM
Valdis Kletnieks vt edu (2 replies)
Re: Tracking down random ICMP Jan 25 2007 12:13PM
Javier Fernández-Sanguino (jfernandez germinus com) (1 replies)
Re: Tracking down random ICMP Jan 25 2007 05:20PM
Valdis Kletnieks vt edu (2 replies)
DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: DoS attacks using ports 31800, 31900 ? Feb 06 2007 03:36PM
Deapesh Misra (deapesh gmail com)
Attempted FTP intrusion Jan 31 2007 05:43PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: Attempted FTP intrusion Jan 31 2007 10:09PM
Tillmann Werner (tillmann werner gmx de)
Re: Tracking down random ICMP Jan 23 2007 09:37PM
Jose Nazario (jose monkey org) (1 replies)
Re: Tracking down random ICMP Jan 24 2007 01:05AM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: Tracking down random ICMP Feb 09 2007 12:17AM
Jean-Baptiste Marchand (jbm lists gmail com)
Re: Tracking down random ICMP Jan 23 2007 03:50AM
Kyle Maxwell (krmaxwell gmail com)
On 1/22/07, Craig Chamberlain <craig.chamberlain (at) q1labs (dot) com [email concealed]> wrote:
>
> Seem to be seeing more random bursts of ICMP traffic - sometimes
> unidirectional - with remote destinations that are mostly inexplicable.
> Wondering if it's a covert control channel of some sort - if so I can
> see why they chose ICMP - often allowed through firewalls and it is
> seems to be hard to determine the originating process in Windows.
>
> Is there a tool that can determine which process ID is generating ICMP
> packets or IRPs in Windows? TDImon seems to be TCP/UDP only. TCPview and
> netstat apparently can't do it.

How have you established the source system? Just through the IP
address (easily forged for ICMP traffic), or have you tracked it down
with MAC addresses and getting on the switch to verify?

ICMP doesn't open a socket like TCP does, so it might indeed be hard
to verify. One way (and there may be better ones) would be to start
with a process listing on the source system and work through process
of elimination. In general, ICMP bursts are frequently due to
misconfigured or broken equipment, but certainly not always.

--
Kyle Maxwell [krmaxwell (at) gmail (dot) com [email concealed]]
http://caffeinatedsecurity.com/blog/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus