Results 1 to 2 of 2

Thread: Baselining ICMP

  1. #1
    Junior Member
    Join Date
    Dec 2002

    Question Baselining ICMP

    I was just hired by a small security consulting firm as a security analyst. I just graduated school about a month ago. For my first task, my supervisor would like me to compare the pros and cons of baselining ICMP traffic. I have several ideas but would like to hear from a more experienced audience. Thanks in advance.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    My 2 cents......<s>

    Baselining ICMP would allow you to notice increases in such traffic should ICMP be used by the attacking system, (worm, cracker or whatever), but is effectively useless against any other form of reconnaisance and is not necessarily the most effective indicator that things are not right. Furthermore, a careful cracker initially using ICMP against your resources would probably not affect the volume of traffic sufficiently to exceed the normal variation of the baselined traffic.

    I believe it is more useful to watch for traffic that has little or no use outside it's malicious intent as opposed to watching traffic that is used for the basic management of the network itself. Don't get me wrong there though - still maintain a watch for unusually high ICMP traffic on the internal network as an indicator of malicious activity by either an automated system or an unsophisticated user but the time and effort spent to baseline the traffic could probably be put to better use elsewhere.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts