icmp_src_session

Question

Greetings    one of the Pupils in our school has a laptop, our Fortigate 100D keeps generating the following alerts.    Message meets Alert condition  The following intrusion was observed: " icmp_src_session" .  date=2014-06-02 time=17:49:46 devname=WYKEHAMFG01 devid=FG100D3G12802595 logid=0420018433 type=ips subtype=anomaly level=alert severity=critical srcip=10.0.6.146 dstip=23.21.45.133 srcintf=" port1"  policyid=N/A identidx=N/A sessionid=0 status=detected proto=1 service=icmp count=226 attackname=" icmp_src_session"  icmpid=0x51a0 icmptype=0x08 icmpcode=0x00 attackid=16777321 sensor=" DoS-policy2"  ref=" http://www.fortinet.com/ids/VID16777321"  msg=" anomaly: icmp_src_session, 439 > threshold 300, repeats 226 times"       The link Provided http://www.fortinet.com/ids/VID16777321  However provides no real help as to the problem.  Could anyone give me a hint as to what i am looking for on the laptop in question?    Thank you

neonbit · Answer

Hi Darius,    Your Denial of service policy has detected an ICMP flood. The ICMP packets are ' pings'  (type8, code0), so this computer (WYKEHAMFG01) has been flooding 23.21.45.133 (compute-1.amazonaws.com) with hundreds of pings. This is not normal behaviour.    You can see in the logs that the threshold configured for pings is 300, and he' s sent 439 (and repeated it 266 times).    From what I' ve seen in schools, it' s usually the students playing around with some new ' hacking tool'  they' ve found and are testing it out. Have a look and see if he' s running any Denial of Service programs like LOIC/HOIC/XOIC, or has a virtual computer like Backtrack/KALI installed.    If you have a FortiAnalyzer I would run a web/application/threat report for his computer to get an idea what the student is doing.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded