ICMP flood from inside firewall

I have been getting a ton of ICMP traffic on my network.

Here is my environment:

Internet
|
|
Watchguard X700 Firewall
| | |
| | |
x.x.1.1 (A) Vina 200 eLINK x.x.1.0 Netopia 5300r
(A) x.x.1.7
| |
| NPN | T1
| |
x.x.2.1 (B) Vina 200 eLINK Netopia 5300r (B) x.x.3.1
| |
| |
x.x.2.0 x.x.3.0



~120 computers, plus servers; three Dell PowerConnect 2624 switches and
one PowerConnect 2716.

My firewall shows this:


01/27/06 14:05 firewalld[107]: deny out eth1 40 tcp 20 29
68.143.171.250 68.232.44.65 2745 4631 rst ack (spoofed source address)


We have connected a hub between the switch and the firewall and used
Ethereal to sniff traffic. The source and target IPs change almost
randomly. Some are IPs that are from my subnet, and some are more like
you see from the example above.


The only common thread between all of the packets is the spoofed MAC
addys:


Source: 08:00:2B:00:DC:DC
Target: 08:00:2B:00:01:02


The source MAC is from DEC equipment. I don't believe any of our
devices use DEC technology or should show up as a DEC MAC.
I'm open for debate on that subject.

We THINK we have narrowed it down to the x.x.1.0 location, but I'm not
entirely convinced.

In any case, it is a significant amount of traffic, and at times pegs
the (A) Netopia at 99% CPU, when the (B) Netopia is around 27%.

It has been suggested that there may be someone playing with nmap or
other tools, but my users are not technologically adept.

We are a not-for-profit serving the needs of abused women and children,
so our users are not what I could call savvy at all. Toss them an IP
address, and they'll probably pick up the phone and dial it. I don't
believe it is anyone playing with nmap or any other tool.

We have researched this thoroughly and have found some posts on Usenet
groups, but no information as to the resolution. Most of the
discussions degenerated into waxing ecstatic about DEC equipment or a
discussion about using the term VAXen. :P

If I'm trying to track down a spoofed MAC address from, say, a trojan,
am I stuck with connecting to every PC, NIC to NIC via crossover cable
and ethereal to sniff packets?

Any information would be greatly appreciated.


Thank you.

Re: ICMP flood from inside firewall

On 1 Feb 2006, in the Usenet newsgroup comp.security.misc, in article
<1138821684.016963.129900@f14g2000cwb.googlegroups.com>,
synergy@synergyservices.org wrote:

>Here is my environment:

OK - the drawing is murder to try to read, but I take it that the three
networks only meet in the Watchguard. Where are the PowerConnect switches
located?

>We THINK we have narrowed it down to the x.x.1.0 location, but I'm not
>entirely convinced.

I think I agree

>In any case, it is a significant amount of traffic, and at times pegs
>the (A) Netopia at 99% CPU, when the (B) Netopia is around 27%.

That fits the location A scenario. Is there any pattern to when this
occurs?

>Toss them an IP address, and they'll probably pick up the phone and dial
>it. I don't believe it is anyone playing with nmap or any other tool.

OK - the only other explanation would be the the boxes are owned, and
this might show up on the nmap scan as unusual ports open.

>If I'm trying to track down a spoofed MAC address from, say, a trojan,
>am I stuck with connecting to every PC, NIC to NIC via crossover cable
>and ethereal to sniff packets?

As mentioned in my reply on alt.comp.networking.firewalls, the crossover
cable probably isn't the right tool. You need to 'eavesdrop' on the
wire as the unknown box is spewing. Depending where the switches are
located, these might allow you to isolate it down further, as the
switches only carry traffic between the ports used for source and
destination - rather than pumping it out on all ports as a hub does.

Old guy