Solarwinds NPM triggers smurf attacks on IPS devices

Question

I started collecting information on a Cisco switch and a router with an IPS device in between.  The IPS is seeing the traffic coming from Solarwinds NPM as Smurf attacks and eventually the IPS, which is manufactured by secureworks, becomes overloaded and needs to be rebooted.  Any thoughts on this?

jgarcia1 · Accepted Answer

Hello Guys,

I would like to close this ticket as I believe we have found a solution to this issue.  It seems that we had a routing issue that it was causing the solarwinds' ICMP discovery packets to be sent back and forward between an internal router and a firewall with the IPS in the middle getting hammered and overloaded.  We added a Null0 route for the major subnet on the internal router between the firewall and the firewall to be dropped when it did not have specific router to it.