Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Daruis_van_Wijk
New Contributor

icmp_src_session

Greetings one of the Pupils in our school has a laptop, our Fortigate 100D keeps generating the following alerts. Message meets Alert condition The following intrusion was observed: " icmp_src_session" . date=2014-06-02 time=17:49:46 devname=WYKEHAMFG01 devid=FG100D3G12802595 logid=0420018433 type=ips subtype=anomaly level=alert severity=critical srcip=10.0.6.146 dstip=23.21.45.133 srcintf=" port1" policyid=N/A identidx=N/A sessionid=0 status=detected proto=1 service=icmp count=226 attackname=" icmp_src_session" icmpid=0x51a0 icmptype=0x08 icmpcode=0x00 attackid=16777321 sensor=" DoS-policy2" ref=" http://www.fortinet.com/ids/VID16777321" msg=" anomaly: icmp_src_session, 439 > threshold 300, repeats 226 times" The link Provided http://www.fortinet.com/ids/VID16777321 However provides no real help as to the problem. Could anyone give me a hint as to what i am looking for on the laptop in question? Thank you
2 REPLIES 2
neonbit
Valued Contributor

Hi Darius, Your Denial of service policy has detected an ICMP flood. The ICMP packets are ' pings' (type8, code0), so this computer (WYKEHAMFG01) has been flooding 23.21.45.133 (compute-1.amazonaws.com) with hundreds of pings. This is not normal behaviour. You can see in the logs that the threshold configured for pings is 300, and he' s sent 439 (and repeated it 266 times). From what I' ve seen in schools, it' s usually the students playing around with some new ' hacking tool' they' ve found and are testing it out. Have a look and see if he' s running any Denial of Service programs like LOIC/HOIC/XOIC, or has a virtual computer like Backtrack/KALI installed. If you have a FortiAnalyzer I would run a web/application/threat report for his computer to get an idea what the student is doing.
Daruis_van_Wijk
New Contributor

Unfortunately we do not have the the FortiAnalyzer, but thank you. At least i know have some idea of what i should be looking for.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors