Ping of Death

30 pts.
Remote access
Hi, I have a remote office connected over a T1 line to the main office with Cisco routers. The problem is that I get tons of logs in our main firewall that connects to the outside world saying "Ping of Death Blocked" The source of the attack is always an IP address(not always the same) from the remote office and the "Destination" is always one of our three Domain Controllers that reside in the main LAN. The remote office connects to the main LAN over the T1line for everything including Internet, DNS, AD. Any help would be appreciated!

Answer Wiki

Thanks. We'll let you know when a new response is added.

Almost all of the IP packet information can be forged. I would not consider the information accurate and of concern about the systems being compromised. Now, if you see this traffic on the inside, then I would think that is a problem. But since you say it is on the outside of your firewall, then your firewall is doing its job and blocking this unnecessary traffic. In fact, you should just block ICMP from the outside just to be safe.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Alan Dala
    Thank you for your fast answer! Both are private IP addresses and the T1 router for the remote office is not connected through the main firewall. Not sure if I should consider this as "inside" or not... I did some testing and when I ping from a DC or any server : ping -l 44444, the ping is blocked and "Ping of death blocked, 8, LAN, 8, LAN" shows up in my main firewall. What should I understand from this? That the remote subnet is communicating with the local DCs with packets larger than 1472 and they get blocked by the main firewall? If yes, why and how can I fix that? Thank you!
    30 pointsBadges:
  • Labnuke99
    The ping of death is defined as a ping larger than 65,535 bytes. So, I'm not sure why the firewall is flagging this traffic as POD. I understand that the WAN configuration is a point to point T1 between the sites, but I don't understand where the firewall falls into the traffic flow. It would be useful to have a diagram showing how the traffic flows between the sites and where the firewall is located in the logical traffic flow. ICMP (PING) payload will be about 32 bytes from a Windows machine. The data section will be abcdefghijklmnopqrstuvwabcdefghi . So, if there are pings or ICMP larger than this something is rather strange. I would recommend getting Wireshark and capturing some of the traffic and see what it actually looks like. ICMP can be used as a covert traffic method to carry malicious traffic into and out of a network. That is why I suggest turning it off for inbound at a minimum.
    32,960 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: