Announcement

Collapse
No announcement yet.

ICMP Hard Error DoS ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ICMP Hard Error DoS ?

    Today, I've found an ongoing stream of these errors in our C877.
    Addresses changed to protect the innocent (us) but not the guilty.


    044986: Mar 30 13:04:53.107 AEST: %IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS [123.2.173.147:0 -> 150.101.xxx.yyy:0]
    044994: Mar 30 13:09:55.014 AEST: %IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS [123.2.173.147:0 -> 150.101.xxx.yyy:0]
    044995: Mar 30 13:09:56.474 AEST: %IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:4 ICMP Hard Error DoS [123.2.173.147:0 -> 150.101.xxx.yyy:0]


    They've been going for almost 2 hours now. Initially, I had agressive entries as well
    044833: Mar 30 11:22:23.353 AEST: %FW-4-ALERT_ON: getting aggressive, count (52/500) current 1-min rate: 501
    044835: Mar 30 11:22:47.087 AEST: %FW-4-ALERT_OFF: calming down, count (55/400) current 1-min rate: 191
    044840: Mar 30 11:24:56.202 AEST: %FW-4-ALERT_ON: getting aggressive, count (56/500) current 1-min rate: 501


    but it's not happening so much right now. Right at the start of te day, it was thoroughly trashing our inbound and outbound connectivty, to the point where Exchnage coudln't even drop mail to the ISP's mailserver.

    Is it concerned, or what could I do about it ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: ICMP Hard Error DoS ?

    Only guessing here but:

    Lookup that IP address to see if you can find out who they are. DNSStuff etc
    DoS = Denial of Service, in your case ICMP flooding looks likely. Can you block that IP with your ACLs? I would speak to your ISP and get them to block/check too.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: ICMP Hard Error DoS ?

      ISP was the first people we spoke to.. they can only block an entire range, not a specific ip (oh really ?) and weren't really inclined to do so.
      I also spent over an hour on the phone with dodo trying to speak to someone in their abuse department. Wow. that was an interesting experience.
      "yes, look, a dodo client with a static ip is sending denial of service requests.."
      'so you have moved your service to dodo ?'

      it actually stopped about 3pm.. so I can only hope Dodo shut down whoever it was.

      We did think about an ACL, but the problem there is it would still have hit our router for the ACL to process it.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment

      Working...
      X