I've come across some strange activity recently.

Thousands of ICMP packets per second... I wish I would have saved the Ethereal snapshot I took when it was occuring.

They were all ICMP packets with a SRCIP=0.0.0.0 and DSTIP=0.0.0.0. Looking at the mac layer it had various SRC MAC addresses and a consistant DST MAC address of FF:FF:FF:FF:FF:FF.

I narrowed it down to a single port on my switch and disabled that port, by the time I got a tech out there to analyze this "attack" or packet storm, it had disappeared.

What would cause a host(s) to send out thousands of ICMP packets per second? I mean it was bad I was seeing up to 3,000pps. They were all about 74bytes in size if I remember correctly.

Here we go, this one is a little different but same thing.. I only ran ethereal for about a second and it captured almost 3000 packets...



this time the dst-ip was the same in almost all cases.. the src mac varied between multiple mac addresses on our system.

Well I narrowed it down to one host.. I'll have to wait and see what the cause could have been, but that user has been turned off.

Has anyone else seen similar traffic like this?

Digging through the archives I found this (http://forum.mikrotik.com/viewtopic.php ... cket+storm) which is somewhat helpful because there is a Linksys WRT54G router in place.

And come to think of it, this problem started once I switched this user from a Static IP address to PPPoE.

Another update,

The offending host was actually a BEFSR41v3 running 1.04.17 (11/26/2003).

Here's a list of what the newest firmware fixes:

1.05.00 Apr. 1,04
1. Fixed multicast issue broadcast on all ports
2. Fixed DHCP vulnerability
3. Fixed inappropriate ARP response from the router
4. Fixed fragmented data arriving to destination in the
wrong order. This affected IPSec VPN users
5. Modified web user interface for ease of use

I think we found the source... Anyway hopefully this is helpful to someone else.

I've seen this with Canopy radios that "repackage" multicast traffic as broadcast. One customer was sending IGMP packets to a multicast address, the Canopy radios resent them to the broadcast address, and instead of the interface drivers on all of our customers devices silently ignoring the packet (because that multicast address wasn't being listened to), it passed it to the IP stack (because it was now an ethernet broadcast) which, because it wasn't listening for IGMP packets, sent an ICMP error in response.

Multiply by a few thousand and hilarity ensues.

I wonder if Tranzeo CPE's do the same. Something I'm definitely going to look into. In the ethereal snapshot it shows the ICMP portion of the packet and if you expand that it shows IP and IGMP beneath that. I'm not sure if that's indicating the multicast packets are encapsulated in the ICMP packet, or if that's just normal parts of an ICMP packet.

The fact that the linksys firmware says it broadcasts multicast traffic on all ports and what I was seeing was broadcast ICMP packets it would sure seem likely that Tranzeo's do "repackage" multicast traffic into some kind of broadcast ICMP.

Something worth testing! Thanks for that.