So we are running a few Cisco IDS/IPS blades on our network. One of them has been reporting some strange activity to our external SMTP load balancer IP address, and occasionally to one of our external nameservers. It is seeing this a /lot/ but only a few times from each IP address, and no where near what a real DoS or DDoS would be.

My quick research has shown this as a possibility as we are seeing ICMP Hard Error with Port Unreachable flag.

Has a botnet stumbled across our IP range, or do we have a pissed off customer that is trying to craft ICMP Hard Errors in an attempt to reset connections for legit traffic?

This started on Thursday 11/2 and has been steady since then.

Here is a copy of the event from one of our IDS boxes.

evIdsAlert: eventId=1161202650020384082  vendor=Cisco  severity=medium  
    hostId: sanitized
    appName: sensorApp  
    appInstanceId: 548  
  time: November 8, 2006 9:50:48 AM UTC  offset=-480  timeZone=PST  
  signature:   description=ICMP Hard Error DoS  id=2157  version=S158  
    subsigId: 1  
    sigDetails: Port Unreachable  
  vlan: 1007  
      addr: sanitized locality=OUT  
      addr: sanitized locality=OUT  
  riskRatingValue: 63  
  interface: ge0_0  
  protocol: icmp

I'm open to any suggestions or comments.