December 7th, 2002, 09:05 PM
I was just hired by a small security consulting firm as a security analyst. I just graduated school about a month ago. For my first task, my supervisor would like me to compare the pros and cons of baselining ICMP traffic. I have several ideas but would like to hear from a more experienced audience. Thanks in advance.
December 9th, 2002, 03:25 PM
My 2 cents......<s>
Baselining ICMP would allow you to notice increases in such traffic should ICMP be used by the attacking system, (worm, cracker or whatever), but is effectively useless against any other form of reconnaisance and is not necessarily the most effective indicator that things are not right. Furthermore, a careful cracker initially using ICMP against your resources would probably not affect the volume of traffic sufficiently to exceed the normal variation of the baselined traffic.
I believe it is more useful to watch for traffic that has little or no use outside it's malicious intent as opposed to watching traffic that is used for the basic management of the network itself. Don't get me wrong there though - still maintain a watch for unusually high ICMP traffic on the internal network as an indicator of malicious activity by either an automated system or an unsophisticated user but the time and effort spent to baseline the traffic could probably be put to better use elsewhere.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides