Increased ICMP Traffic on Network

[Llanelli]

Good afternoon to all the network-gurus

Let me give a little background to set this up:
I work at a small private college in the IT department.
Our network is divided into three VLans-- Residence Halls, Administrative and Academic(Faculty, Labs)
We run everything through an HP 9304 Routing Switch, which is setup to deny almost all traffic coming from the residence halls to either the academic or admin networks. I view the log of this "denied traffic" daily.


My quandary is this:

Over the last couple of days, I have a seen a BIG jump in ICMP traffic between the Res VLAN and the Admin VLAN.

For example, there are ICMP connection attempts, from sequential IP's - 172.16.3.10, 172.16.3.11, 172.16.3.12, etc. to the exact same IP on the Admin network. This has been happening every few seconds for the past few days. It almost always goes sequentially from the sender's side, and it has targeted the same IP on the admin side(luckily just a workstation, not a mission critical Server, host, etc.)

Any ideas what may be casuing this? Is there a certain virus or other type trojann that might be causing this?

[Kineda]

Heehee running an illegal music download server from the workstation....dont tell the riaa

[Gollo]

Can't you trace ip to mac to port on switch to user? It could also be a virus of some sort or some script kiddie running an ip scanner. Another thing you might check is (if your school offers it. if not then disregard) the users taking any computer security courses. Everybody that is "in the know" here on campus knows to unplug their computers when the security class is in session It could be one of the students trying to apply his new found knowledge. I'm betting on script kiddie or virus though. Cheers.

[dddwarp]

It is either a virus or someone scanning. I work at a mid size university and I check out this type of event once a week. You do have be careful about checking out what system in the dorms because of privacy issues. It depends on your policies. We have a policy that the students sign that says they are not allow to "scan" other networks. When we find out about it, we can kick them off the network. Another policy is that if they have a virus, we can kick them off the network also. Have fun, this is my favorite part of job is hunting down people who are doing stuff they are not suppose to.

[cisco2]

It's been several years since I worked any protocol issues but this rings a couple bells.

First off I'd check the MAC addresses coming in, as Gollo suggested. If it's all from the same or a small pool of MAC addresses then you've probably got someone trying hack in by finding an IP address that is allowed in.

I'd more likely suspect some service or program on the PC the traffic is being sent to however. We had an issue where a client installed the software that came with his HP printer, it installed a network print manager by default (I have a bit of a pet peeve about HP's driver installs, they want to do too much for you by default, but I digress). This print manager would go out and query every address on the network every time he started his PC, it was looking for printers to manage. Another network wide problem we had where we had to call in a protocol expert was ultimately caused by one of our network admins who had installed a software based protocol analyzer he'd gotten. It tossed the NIC into promiscuous mode and, for reasons I can't recall began spoofing MAC addresses that already existed as it was doing whatever it did. It was more involved than that but this one PC running that software was generating huge amounts of traffic all across the network. Really hosed up our network traffic and bandwidth for a week or more.

I'd take a careful look at that one PC and look for any software or services that might be causing this. You could change the IP address on that PC and see if the problem follows the new IP address. Maybe turn it off at night and see if the problem goes away or starts targeting another address as well.

Good luck.