Is it normal for AD authentication to generate a lot of ICMP traffic?

active-directory icmp intrusion-detection

There really shouldn't be much ICMP traffic during a typical client logon to AD. It is really only used for slow link detection, and it's hardly enough to trigger an ICMP flood alert on most sane IPS systems.

Do you have any logon scripts that have ping loops to make sure that servers and the client network link are up before accessing network resources? That's a pretty common trick, and could cause the behavior that you're seeing.


Perhaps your AD server is also your DHCP server?

It is common for a DHCP server to ping addresses before offering them up as new leases.

http://technet.microsoft.com/en-us/library/dd380200(v=ws.10).aspx

However, this shouldn't generate too many packets. (Though if you have very low lease times and a lot of turn over, it could show up.)


You might be seeing the slow link detection that group policy does. It will transmit very large icmp packets that end up getting fragmented to determine if the user is logging in over a slow link or not.

Check out:

http://support.microsoft.com/kb/227260

and

http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx

Related

Libvirt: Can't shutdown or reboot virtual guest
Redundant Linux Servers in Seperate Datacenters
Sign personal certificate with digicert wildcard certificate
nagios trigger an alert after installation
Can connect to Samba, but access denied to homes
How can I run two Django versions in the same server?
Batch script to test if a folder exists fails when checking a UNC path
Dynamic IP Restriction strategy
useradd with -d option do not create skeleton files
nginx reverse proxy to mongodb rest interface
What is the best way to compress backend to nginx reverse proxy data?
virtualbox view guest port 80 on host port 80