ICMP flooding caused by SG500

Similar Questions

• adapter local area is ICMP flooded?

  Ethernet

  Hi Allan381,
  We need more information on your issue.
  However, it seems that you have questions about your server.
  I suggest that you post this question here:
  http://social.technet.Microsoft.com/search/en-us/?query=ICMP&refinement=112&AC=3
  B Eddie

• Signatures of the flood

  Hi all!

  I try to implement the flood Net signatures. I activated after signatures - 6902/0, 6903/0, 0/6910-6920/0:

  signatures 6903 0

  status

  enabled true

  output

  output

  signatures 6910 0

  status

  enabled true

  output

  output

  signatures 6920 0

  status

  enabled true

  output

  output

  All the signatures that have been mentioned have 'Number of events key' and 'Key summary' defined as ' address of the perpetrator and the victim. "

  But in the store of the event, I had events not to mention them on the parties taking part in my simple attack (with the help of nmap):

  evIdsAlert: eventId = 1238425548375713811 = severity = informational Cisco vendor

  Author:

  login host: ips4255

  appName: sensorApp

  appInstanceId: 405

  time: 10 May 2009 19:22:50 UTC offset = 360 timeZone = GMT + 06:00

  signature: description = Net ICMP flood any id = 6903 version = type S4 = another created 20010725

  subsigId: 0

  marsCategory: back/network/ICMP

  interfaceGroup: vs0

  VLAN: 0

  participants:

  alertDetails: MaxPPS during this interval: 4;

  I see an attack, but I do not see an attacker or victim.

  I tested these signatures on 4215-ids and ips-4255 with software version 5,0000 E3 and E3 1.0000 in promiscuous mode. Results were the same.

  Can anyone explain - why participants free field is? How it can be filled with real-world information?

  With the hope to see the solution

  Maxim

  NET flooding of the engine is coded in order to study the entire network (traffic all guarded by the virtual sensor). Signatures flood Net could not be configured to keep track of individual addresses because the right engine was not built to do this. The engine is not follow the book at all, it follows just package counts/rates for specific protocols.

  You can try using the signatures of flooding engine host, but even then I don't know if it will work exactly as you hope. Most of the signatures against the floods have been hard coded to look for specific types of traffic and there is little that a user can capture signatures to change their behaviour.

• Packages oversized can cause loss of packets with Dell PC6248

  Hello

  We are seeing packet loss on our voice network which causes the phone sometimes sounds without interruption.  This could be the result of oversized packets (more details below).  On a separate note, if I transfer images using Windows Deployment Services multicast it floods all ports (so I don't more :-).  I had initially activated IGMP but he already caused the switch block at random which may have been connected with firmware earlier.

  We have the fairly simple network:

  1. 3 Dell PC6248s connected in a star (dist 1 and 2 switches access) topology connected together with LAG trunks running latest firmware.
  2. Several VLANS: voice VLAN (100) production data for IP phones, the vlan 1, dev on vlan 5.
  3. IP phones are mainly Aastra 9133i popular with some Polycom.

  I dug more and we are seeing a certain 'oversized packages' on the LAG trunks.  I was wondering if it is at the origin of packets to drop.  If Yes, can I change the MTU size to 1522 (I read that marking adds 4 bytes to the default MTU of 1518) or is there a configuration error I forget somewhere?

  1. • show rmon statistics port-channel 1
       
       Port: ch1Dropped: 0Octets: 3436040607  Packets: 947867566Broadcast: 1158102  Multicast: 24535676CRC Align Errors: 0  Collisions: 0Undersize Pkts: 0  Oversize Pkts: 43969059Fragments: 0  Jabbers: 064 Octets: 24107589  65 - 127 Octets: 868940536128 - 255 Octets: 133380606  256 - 511 Octets: 76138498512 - 1023 Octets: 90380909  1024 - 1518 Octets: 72636117
       

     • show statistics port-channel 1
       
       Total Packets Received (Octets)................ 175230301131Packets Received > 1518 Octets................. 43968808Packets RX and TX 64 Octets.................... 24107385Packets RX and TX 65-127 Octets................ 868914890Packets RX and TX 128-255 Octets............... 133371613Packets RX and TX 256-511 Octets............... 76133886Packets RX and TX 512-1023 Octets.............. 90379490Packets RX and TX 1024-1518 Octets............. 72634059Packets RX and TX 1519-2047 Octets............. 4344763899Packets RX and TX 2048-4095 Octets............. 0Packets RX and TX 4096-9216 Octets............. 0
       
       Total Packets Received Without Errors.......... 947838588Unicast Packets Received....................... 922145059Multicast Packets Received..................... 24535481Broadcast Packets Received..................... 1158048
       
       Total Packets Received with MAC Errors......... 0Jabbers Received............................... 0Fragments/Undersize Received................... 0Alignment Errors............................... 0FCS Errors..................................... 0Overruns....................................... 0802.3x Pause Frames Received................... 0Unacceptable Frame Type........................ 0
       
       Total Packets Transmitted (Octets)............. 6732668920146Packets Transmitted > 1518 Octets ............. 5827795Max Frame Size................................. 1518
       
       Total Packets Transmitted Successfully......... 367499338Unicast Packets Transmitted.................... 4651719996Multicast Packets Transmitted.................. 5064125Broadcast Packets Transmitted.................. 5682513
       
       Total Transmit Errors.......................... 0FCS Errors..................................... 0Underrun Errors................................ 0
       
       Total Transmit Packets Discarded............... 0Single Collision Frames........................ 0Multiple Collision Frames...................... 0Excessive Collision Frames..................... 0
       
       802.3x Pause Frames Transmitted................ 0GVRP PDUs received............................. 0GVRP PDUs Transmitted.......................... 0GVRP Failed Registrations...................... 0BPDU: sent 1286910, received 9
       

  Here is the config for our switch dist:

  !Current Configuration:!System Description "PowerConnect 6248, 3.3.6.4, VxWorks 6.5"!System Software Version 3.3.6.4!Cut-through mode is configured as disabled!configurevlan databasevlan 5,10,15,20,25,50,100,150,200vlan routing 1 1vlan routing 5 2vlan routing 100 3exithostname "SW1-M01"sntp unicast client enablesntp server 192.168.0.211clock summer-time recurring USA zone "CDT"clock timezone -6 minutes 0 zone "CST"stackmember 1 2exitip address 192.168.150.250 255.255.255.0ip address vlan 150ip domain-name ***ip name-server 192.168.0.211ip name-server 192.168.0.212logging 192.168.0.128level warningexitip routingip route 0.0.0.0 0.0.0.0 192.168.0.253interface vlan 1routingip address 192.168.0.254 255.255.255.0exitinterface vlan 5name "Dev_VLAN"routingip address 192.168.10.254 255.255.255.0exitinterface vlan 25name "DSL_VLAN"exitinterface vlan 100name "Voice_VLAN"routingip address 10.116.116.2 255.255.252.0exitinterface vlan 150name "Management_VLAN"exitusername "admin" password ---- level 15 encryptedvoice vlanline telnetexec-timeout 1800exitip ssh serverspanning-tree priority 4096!interface ethernet 1/g1channel-group 1 mode autodescription 'SWI-M02_Uplink'lldp transmit-tlv port-desc sys-name sys-desc sys-caplldp transmit-mgmtlldp notificationlldp med confignotificationlldp med transmit-tlv locationlldp med transmit-tlv inventoryexit!interface ethernet 1/g2channel-group 1 mode autodescription 'SWI-M02_Uplink'lldp transmit-tlv port-desc sys-name sys-desc sys-caplldp transmit-mgmtlldp notificationlldp med confignotificationlldp med transmit-tlv locationlldp med transmit-tlv inventoryexit-- snipped due to length --
  

  Thanks!
  

  I've been searching through your configuration and try to spot something that may be the cause, but nothing is really jumping on me.

  On the phones they have workstations that connect to their internet access? Or is it just the phone itself?

  One thing we can look at the practice enables jumbo frames. Jumbo frame can be let through all ports and the switch will still go from regular sizes. Extended frames must be activate through all the connections at both ends, once activate on the LAG on a switch, you need to activate on another LAG switch also pass to the back.

  Console (config) # interface range ethernet 1/g1-1/g48

  Console (Config-if) #mtu 9216

  Console (Config-if) #exit

  Console (config) # interface ethernet port-channel 1

  Console (Config-if) #MTU 9216

  Console (Config-if) #exit

  Make sure that you back up the configuration in the startup-config on the switch.

  That a try and see if there is a change in behavior.

  Thank you.

• Application cause unit to freeze

  Hello

  My application works a certain time, but then the device (the Simulator too) freezes. If I restart it, there is a dialog box that says that my application failed. It seems that the event thread was not able to kill him.

  I think something is to flood the memory, but it's only a guess.

  In the console, I see that I often get the following:

  Freeing Tail 1fa06c0BfAllocFailure(2)Pruning dead refsBfAllocFailure(2)Freeing Tail 1fe0fe0BfAllocFailure(2)...
  

  Am I correct that I did something wrong?

  Or is it only the garbage collection, and it is?

  Can you help me to identify the problem?

  I am not convinced that a running stream socket connection cause this kind of problem, we run taken all the time.  Also not convinced that the Bitmap is related, if the unit was short memory you will see the hourglass icon all the time that the device is garbage collection operation.

  Your original post said: "application failed".  Normally, this means that something is blocking the event Thread.  It could be your is running on the event Thread, or it is possible that you made a very lengthy treatment on the thread of events.  Be that as it may, I review the design of your application, find out what treatment you do on the thread of events and move offshore.

• Switch P 52 SG500 - web interface shows the wrong model and disconnects randomly

  Ladies and gentlemen!

  One of our network switches is a SG500 switch 52p that recently started showing strange behavior.

  It started with the problem was not more accessible via its web interface. Even if it was running perfectly well access via a web browser finished in wait times.

  After resetting the factory default switch and configure its IP address access at first seemed to work but I had to know that the switch breaks out as a SG300 28 p switch on the administration Web site. In addition, random logoff occurs that send back me to the login page. Each from time to time, the model is correctly displayed after the login, but when I try to manage it I a connected again.

  It still works with an older version of the firmware (1.2.xx I think) but that shouldn't cause such behavior, it should? In any case, I can't update the firmware says the switch as a different model.

  Any suggestions what to do (apart from the RMA)?

  Respect,

  Hendryk

  Hello

  I'm sorry that you are having problems with the device and I'll try to give you the best possible advice in the circumstances.

  The first thing that comes to mind is that you connect to another device, the thought is the SG500. I did the experiment several times before, so I have a few suggestions to ensure we are connection to the device:

  1 - Download the Cisco FINDIT and scan tool you rnetwork, maybe you will find that you have two devices, the SG300 and the SG500. Here is the link:

  https://software.Cisco.com/download/release.html?mdfid=282833583&flowid=...

  2 - go to the switch that you believe to be the SG500, then go to Administration, and then discovered - CDP, and then click CDP neighbor information. Most likely, you will see that you have several switches, including the SG500.

  3. If you have followed suggestions and you still believe, you go to the right switch then call at the 866-606-1866 (of the United States) and we will be happy to help you control the device and replace it if this is the case.

  I really think that the first 2 suggestions will help you realize that you have two switches on your network.

  Please let us know what you find.

• GIS 2100 - network ICMP Sweep w/Echo

  I get a lot of these alarms on my IPS. I am interested in finding a way to separate a real "fist blow" of what appears to be unique pings from one host to another on my internal network.

  The issue I see is that the alarm goes off once every few minutes on any other IP "pirate" and "victim". So I'm not sure which meets this alarm 2100, it seems to be pulled each time he sees a host another rattling.

  In an effort to set alarm to fire only on real activity to "sweep" the number of events of '1' (the default setting), I changed to '2' - this seems to allow the alarm to fire only when he sees greater than 1 of this activity from a single "pirate".

  However, I always find that triggers the alarm of 2100 on several hosts 'attackers' on my network.

  It would seem that this alarm is deliberately failed to trigger much more often than necessary. Would appreciate any suggestions to get this alarm to stop the shot unnecessarily.

  Maybe I don't understand what he's trying to do? For me, a single host ping a single target is not hit 'ping '.

  Hi Mark. Thus, it is a scan engine signature designed to detect the host from a single source (1) traffic to multiple destination hosts. Its Unique setting (literally, it's what it's called) represents the number of distinct hosts required to trigger the signature. Based on the default settings of this signature:

  unique: 5

  storage-key: striker-address

  number of events: 1

  alert interval: 60 (seconds)

  Summary-mode: fire-all

  It should take (and generate an alert) every time that ICMP echo requests are from any source ("striker") more than five 5 destinations ('victims') within a period of 60 seconds. It should not draw if ICMP echo requests are from a source to a single destination only (1:1); several destinations must be involved. I tested in my lab to confirm.

  Now, alerting gets more complicated because of this use of signatures of synthesis (and global summary)... Based on the default settings of this signature:

  Summary-threshold: 100

  Summary-interval: 30 (seconds)

  Summary-key: striker-address

  If this event will fire more than 100 times in 30 seconds, go ahead, that a summary alert (instead of individual alerts) once each interval summary (3o seconds) by summary key (address of the attacker).

  In light of all the foregoing and your original description, I suspect that your hosts are legitimately triggering signature, eventually causing the Alerts Summary. The extent of why guests are triggered, you should examine the hosts themselves (possibly take and examine a capture package (s) in order to identify what hosts are ping what other hosts, if there is a common software package installed on hosts allocated, etc..). Network management software (legitimately) often make use of ICMP ping scans. Looking a little... online it seems that even some popular antivirus software is known to trigger (based on the it try to update multiple servers to determine connectivity ping). Perhaps there is a package of software installed on these hosts generating traffic to trigger?

• Annyconnect customers can reach inside of the authorized apps but NO ICMP

  Hi community expensive cisco.
   
  I have a Setup with Cisco asa 8.4 and customers connection to a server on the inside interface.
  All provide very fine, can reach all applications and all that, BUT, the ICMP would go through.
  I checked doucble, server recevives fine the echo icmp message and good answers.
   
  It's my ASA that blocks the response to echo, due to problem NAT packets according to the newspapers:
   
   
  6 June 26, 2014 16:00:06 302020 172.16.23.1 AAA 1. BBB. CCC.1 0 built ICMP incoming connections for 172.16.23.1/1(LOCAL\customer1 faddr) gaddr AAA. BBB. CCC.1/0 laddr AAA. BBB. CCC.1/0 (customer1)
  3 June 26, 2014 16:00:07 305006 AAA. BBB. CCC.1 172.16.23.1 failed to create LOCAL regular translation for icmp src everything: AAA. BBB. CCC.1 dst OUTSIDE:172.16.23.1(LOCAL\customer1) (type 0, code 0)
  6 June 26, 2014 16:00:08 302021 172.16.23.1 AAA 1. BBB. 0 connection disassembly ICMP for faddr 172.16.23.1/1(LOCAL\customer1 CCC.1) gaddr AAA. BBB. CCC.1/0 laddr AAA. BBB. CCC.1/0 (customer1)
   
   
   
  Here is an excerpt of my config:
   
  network of the VPN_POOL_CLTS object
  172.16.23.0 subnet 255.255.255.0
   
  network of the INSIDE_SERVERS_NET object
  subnet YYYY. BBB. CCC.0 255.255.255.0
   
  any description of the NAT interface overloading dynamic source NAT (all, OUTSIDE)
  NAT (-all), source VPN_POOL_CLTS VPN_POOL_CLTS static non-proxy-arp
   
   
  I think that there is a NAT problem, so I would add the line to follow before the two first lines of NAT configuration:
   
  NAT (INSIDE, OUTSIDE) source static INSIDE_SERVERS_NET INSIDE_SERVERS_NET no proxy-arp
   
  Don't you think that this will solve the problem?
   
  Why all traffic flows would work but the ICMP?
   
  Thank you all for reading.

  Hi Florian.

  If you look at the values of logging for icmp deny

  305006

  % ASA-3-305006 error message: {(statique sortant | identité | portmap | régulière) failed to create the translation of Protocol src interface_name : source_address / source_port [( idfw_user )] dst interface_name : dest_address / dest_port [( idfw_user )]}

  Explanation Protocol (TCP, UDP or ICMP) A failed to create a translation through the ASA. The ASA does not packets through which are intended for network addresses or dissemination. The ASA provides this checking for addresses that are explicitly identified with static controls. For inbound traffic, the ASA rejects the translation of IP address identified as a network or broadcast address.

  The ASA does not apply PAT to all types of ICMP messages. It applies only the packets of echo and response to echo ICMP PAT (types 8 and 0). Specifically, only ICMP echo packets or echo response create a PAT translation. Thus, when other types of ICMP messages are removed, this message is generated.

  The ASA uses the global IP address and the mask of static controls configured to differentiate it from the IP addresses of network or broadcast IP addresses. If the global IP address is a valid network with a netmask corresponding address, then the ASA does not have a translation for the network or broadcast with incoming packets IP addresses.

  For example:

  public static 10.2.2.128 (Interior, exterior) 10.1.1.128 netmask 255.255.255.128
   

  The ASA responds to global addresses 10.2.2.128 as a network address and 10.2.2.255 as the broadcast address. Without an existing translation, the ASA rejects the incoming packets intended for 10.2.2.128 or 10.2.2.255 and logs this message.

  When the suspected IP address is an IP address from the host, configure a separate static command with a host mask in front of the static subnet command (the first matching rule for static controls). The following static commands cause the ASA answer to the 10.2.2.128 as a host address:

  public static 10.2.2.128 (Interior, exterior) 10.2.2.128 netmask 255.255.255.255
  public static 10.2.2.128 (Interior, exterior) 10.2.2.128 netmask 255.255.255.128
   

  The translation can be created by the traffic started inside host with the IP address in question. Because the ASA considers a network or IP address of dissemination as a host with a static configuration of subnet IP address overlap, the two static controls network address translation must be the same.

  Recommended not required action.

  302020

  Error Message % ASA-6-302020: Built {in | out} bound connection ICMP for faddr { faddr |} icmp_seq_num } [( idfw_user )] gaddr { gaddr |} cmp_type } laddr laddr [( idfw_user )]

  Session year ICMP explanation has been created in the fast path when ICMP stateful has been activated using the icmp command inspect.

  Recommended not required action.

  So the rule similar like below would solve your problem.

  NAT (inside, outside) static source OBJ_INTERNAL OBJ_INTERNAL OBJ_VPN OBJ_VPN non-proxy-arp-search of route static destination

  Concerning

  Knockaert

• Should I block icmp on my edge router or my firewall?

  Originally, we were blocking icmp on our border router traffic (2811), but recently we changed this block on the firewall (ASA) instead. I have been informed that blocking on the router would cause too much overhead on the router, since it is now seen to inspect all traffic, and the firewall was better equipped for this.

  What is the standard of the industry? Cisco recommend that?

  Something like that, although I recommend you this announcement on the forum of firewall for confirmation.

  ! refuse the Fragments non-initial ICMP

  access-list 101 deny icmp any any fragment

  ! permit messages "dest unreachable."

  access-list 101 permit icmp any 3

  ! allow the message "time exceeded".

  access-list 101 permit icmp any any 11

  ! allow the message "source quench"

  access-list 101 permit icmp any 4

  ! license problem message "parameter.

  access-list 101 permit icmp any any 12

  ! allow "echo reply" messages

  access-list 101 permit icmp any any 0

  ! refuse all other icmp

  access-list 101 deny icmp a whole

  You could consider strengthening the unreachable destination too. They should look like this for each type and code that you want to allow:

  ! allow messages 'dest unreach - unreach port.

  Acccess-list 101 permit icmp any any 3 of 3

  See here:

  http://www.IANA.org/assignments/ICMP-parameters

• too many ICMP unreachable/exceeded

  Hello

  I have a problem here pix 506th and my network is slow to death this 3 days, when I have terminal monitor (debug mode) I saw there was a lot of icmp unreachable and exceeded from unknown ip, over 30 different ip detected. but that suppose to be right ID information? not that kind of attack. Any possible cause of this problem?

  Thank you

  Hello, there are a lot of reasons.

  Are you sure there's no worm in your network?

  ICMP unreachable means you sent an IP packet to a machine that does not have the open TCP/UDP port. Who can be the result of a worm track scan of IP addresses for vulnerabilities and internet hosts meet.

  Time exceeded ICMP can occur after a traceroute or IP routing loops. There is nothing you can do on the loops in the internet.

  I hope this helps! Please note all messages.

  Regards, Martin

• Deny incoming ICMP

  We have ASA 5540, running IOS 8.2. (4) for some reason, I kept getting notice by email about this message "<155>February 17, 2011 04:59:16: % ASA-3-106014: Deny icmp src dst foreign entrants: 74.125.24.179 inside: 74.125.20.1 (type 3, code 1)". "  Sometimes I have this notification by email 3 times for 1 minute interval.  Do you have any suggestions what caused this type of error message and how to fix?  Nobody was connecting to the Cisco VPN client when this error occurred.

  Thank you.

  Diane

  OK, analizing the original message:

  ICMP type 3, code 1 is unreachable host.

  Thus, a remote router will normally respond with ICMP Type 3 code 1 when you
  Send a package tries to connect to a host that does not exist, or
  There are, but is switched off / disconnected. You must review your outgoing traffic and find what host sends
  the initial traffic to an unreachable host.

  This is most likely a response to an outgoing packet (translates the external IP of the ASA).

  Federico.

• ICMP is required for the site to site VPN

  Hello

  I'm trying to set up a connection VPN site to site with a Cisco with the AIM-VPN-SSL-1 module 1841 and a NEC IX2015. We use a GRE with IPSec tunnel

  The problem we have is the will of router NEC not repsond to ICMP packets (and it is not a way to get a reaction). This will cause problems with the tunnel?

  Thank you!

  Paul

  Do not think that it will cause no problem. The more you can not do is not able to ping to test connectivity. Other than that, the IPSec LAN-to-LAN tunnel should work just fine.

• Update Verizon iPhone 5 new IOS 10 problem: cannot receive/send calls. Shop Verizon says it's an update causing Apple to popular phones to crash all day. Any input or advice, please?

  Update Verizon iPhone 5 new IOS 10 problem: I can't receive/send calls. The store Verizon says it's phones a popular causing update Apple crash all day. Any input or advice, please?

  Don't you say no service at the top?

• Since the upgrade to Sierra MediaLibraryService is causing a memory leak

  Hello.

  I upgraded to Sierra, since as soon as Itunes is launched, the com.apple.medialibraryservice is originally a large memory leak, it keeps in ram more until she takes all (16 GB) and significantly slows down the computer.

  I tried to reset the nvram and smc memory, doesn't change anything.

  Does anyone have an idea on what is causing this leak and is there a solution?

  Yes, I noticed this also. After that I opened iTunes, it's just a matter of time before all the memory gets used up and all departure is wobbly. In particular, bluetooth really gets bug after a certain time, and as soon as I quit iTunes, that's fine.

• Presentation causing Sierra to Crash and disconnection

  Hello

  I noticed a problem with macOS Sierra running on a Mid 2015 15 "MacBook Pro with the retina display. Sometimes when I press F3 to access presentation and my several computers desktop computer freezes and goes back to the login screen.

  When I log in, it's like I started a new session and the apps I had open start back once again, but with their wiped sessions. This happens to me about 3 times in a day's work, most of the time that exposed works very well. Very strange!

  Did anyone else encounter this problem at all?

  Hi there, stvwlkr!

  Thank you for joining the communities Support from Apple! Looks like you are having problems with the Mission control. I know how important it is to make sure that it works correctly. What you might want to try is then a specific restart. Read this article for trying safe mode if your Mac does not end commissioning. Although this article is about the computer does not start correctly, it can also perform repairs and stop startup items that can cause problems.

  Another option you can try is in this article: How to test a problem in another user on your Mac account. This will allow you to check to see if the problem is specific to the user or the system-wide.

  See you soon!