So we are running a few Cisco IDS/IPS blades on our network. One of them has been reporting some strange activity to our external SMTP load balancer IP address, and occasionally to one of our external nameservers. It is seeing this a /lot/ but only a few times from each IP address, and no where near what a real DoS or DDoS would be.
My quick research has shown this as a possibility as we are seeing ICMP Hard Error with Port Unreachable flag.
Has a botnet stumbled across our IP range, or do we have a pissed off customer that is trying to craft ICMP Hard Errors in an attempt to reset connections for legit traffic?
This started on Thursday 11/2 and has been steady since then.
Here is a copy of the event from one of our IDS boxes.
Code:evIdsAlert: eventId=1161202650020384082 vendor=Cisco severity=medium originator: hostId: sanitized appName: sensorApp appInstanceId: 548 time: November 8, 2006 9:50:48 AM UTC offset=-480 timeZone=PST signature: description=ICMP Hard Error DoS id=2157 version=S158 subsigId: 1 sigDetails: Port Unreachable interfaceGroup: vlan: 1007 participants: attacker: addr: xxx.xxx.xxx.xxx sanitized locality=OUT target: addr: xxx.xxx.xxx.xxx sanitized locality=OUT riskRatingValue: 63 interface: ge0_0 protocol: icmp
I'm open to any suggestions or comments.