Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1894
Views
0
Helpful
0
Replies

Stealthwatch Ping Oversized Packet

alexander05
Level 1
Level 1

‎10-03-2018 02:39 AM - last edited on ‎08-20-2019 12:30 PM by Cisco Employee

Hi,
I have issue of security event "Ping Oversized Packet" in Stealthwatch. In documentation I see next: "It searches for ICMP packets that are larger than the
standard size of 90 bytes, either as an ICMP echo request
(if the host is the destination of the packet) or as an ICMP
echo reply (if the host is the source of the packet)". But in my network Stealthwatch generate this event when ICMP Type 3 (Destination unreachable) Code 3 (Port unreachable). PC in network sends DNS request to two DNS servers at one time. After received first DNS reply he closed own UDP port. So when he receive DNS reply from second DNS, he send ICMP Type 3 (Destination unreachable) Code 3 (Port unreachable). ICMP Type 3 include IP packet which caused this action, so it more than 90 byte. Is it correct work of Stealthwatch?

 

4 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents