The Dest (Destination) Unreachable Sources sensor looks for unusually high levels of network traffic that fails to reach the destination designated by the packet. The sensor operates by monitoring ICMP return codes, whether for a network, host, or port. This type of traffic flood consumes bandwidth on the affected link, which causes reduced performance for the link’s legitimate users.
Troubleshooting a Dest Unreachable Sources Alert
An ICMP flood (also known as Ping flood or Smurf attack) is one source of a Destination Unreachable Sources alert. This type of Denial of Service attack sends large amounts of ICMP packets or over-sized ICMP packets to a system. The goal of the attack is to crash the system’s TCP/IP stack so that the system stops responding to TCP/IP requests.
An ICMP attack can come in many forms. An ICMP flood is typically accomplished by broadcasting a lot of ICMP pings or UDP packets. The attack sends so much data to the system that it slows down enough to disconnect from normal business applications due to timeouts.
If you suspect a Denial of Service attack, use CA Anomaly Detector to identify each offending host, then use a firewall or ACL to try to block the host from sending data on the network. You also can set up an ACL that blocks external traffic to the affected host or you can take the affected server offline.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|