4

is it normal for AD authentication between a workstation and AD server to generate a lot of ICMP traffic? I have a network intrusion prevention in place that is constantly detecting huge amount of ICMP / ping traffic from AD to workstation; vice versa. So much so that it detects them as 'flood' attack.

I've checked on both the AD and workstation both seems to be fine. No trojans, viruses, malware and the endpoint protection is working fine.

Any opinions on this kind of behavior? Possible false positives?

JoeST
  • 41
  • 1
  • 2

3 Answers3

4

There really shouldn't be much ICMP traffic during a typical client logon to AD. It is really only used for slow link detection, and it's hardly enough to trigger an ICMP flood alert on most sane IPS systems.

Do you have any logon scripts that have ping loops to make sure that servers and the client network link are up before accessing network resources? That's a pretty common trick, and could cause the behavior that you're seeing.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • About logon scripts, I doubt there is any. But good point. I'll check with our technical services guys on this. The slow link detection makes sense as it is mostly triggered by workstations in branch level. Also a quick question. For slow link detection, is the communication 2 way? As in AD sends ICMP packets to the workstations and the workstations will in turn reply back with ICMP packets as well? Thanks. – JoeST Jul 03 '12 at 16:22
  • @JoeST Yeah, that's how the detection works. It measures the round trip time of three sets of ICMP echos. Then, uses that time to determine the link speed. – MDMarra Jul 03 '12 at 16:24
2

Perhaps your AD server is also your DHCP server?

It is common for a DHCP server to ping addresses before offering them up as new leases.

http://technet.microsoft.com/en-us/library/dd380200(v=ws.10).aspx

However, this shouldn't generate too many packets. (Though if you have very low lease times and a lot of turn over, it could show up.)

84104
  • 12,698
  • 6
  • 43
  • 75
1

You might be seeing the slow link detection that group policy does. It will transmit very large icmp packets that end up getting fragmented to determine if the user is logging in over a slow link or not.

Check out:

http://support.microsoft.com/kb/227260

and

http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx

Bad Dos
  • 643
  • 3
  • 9
  • 2
    Just for completeness, it should be noted that Windows 7/Vista no longer use ICMP during slow link detection. http://support.microsoft.com/kb/2008977 – Greg Askew Jul 03 '12 at 17:13