Cisco IDS reporting strange ICMP DoS attempts
So we are running a few Cisco IDS/IPS blades on our network. One of them has been reporting some strange activity to our external SMTP load balancer IP address, and occasionally to one of our external nameservers. It is seeing this a /lot/ but only a few times from each IP address, and no where near what a real DoS or DDoS would be.
My quick research has shown this as a possibility as we are seeing ICMP Hard Error with Port Unreachable flag.
Has a botnet stumbled across our IP range, or do we have a pissed off customer that is trying to craft ICMP Hard Errors in an attempt to reset connections for legit traffic?
This started on Thursday 11/2 and has been steady since then.
Here is a copy of the event from one of our IDS boxes.
Code:
evIdsAlert: eventId=1161202650020384082 vendor=Cisco severity=medium
originator:
hostId: sanitized
appName: sensorApp
appInstanceId: 548
time: November 8, 2006 9:50:48 AM UTC offset=-480 timeZone=PST
signature: description=ICMP Hard Error DoS id=2157 version=S158
subsigId: 1
sigDetails: Port Unreachable
interfaceGroup:
vlan: 1007
participants:
attacker:
addr: xxx.xxx.xxx.xxx sanitized locality=OUT
target:
addr: xxx.xxx.xxx.xxx sanitized locality=OUT
riskRatingValue: 63
interface: ge0_0
protocol: icmp
I'm open to any suggestions or comments.