<<< Date Index >>>     <<< Thread Index >>>

Re: Checkpoint NG3 ICMP Flood



Am Montag, 18. Dezember 2006 12:14 schrieb bdmoraes@xxxxxxxxxx:
> Dear All,
>
> I have one checkpoint NG3 in my company and verifying in Tracking i have
> tousands of events with ICMP type 8 and type 17.
>
> The events has origin in my internal networks, with one problem .. the
> Source IP is my PAT address for internal hosts to internet.
>
> Is there any bug of Checkpoint? Anyone already seen this event?
>
> I will go verify with sniffers and other tools, but this IP (Only for PAT)
> is no routeable in my internal networks...
>
> Thanks for attention.
> Poison

hi,

perhaps related to:
http://www.incidents.org/diary.php?storyid=1949&isc=ae18b977be6828a8c9bf904d72cc5630

Sniffer: depends on what platform you use:
- Solaris: snoop
- everything else: tcpdump

Reading out the MAC adresses of there packets should give a clue in the 
direction where to search further.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42

Attachment: pgpawc0DdjgW6.pgp
Description: PGP signature