is it normal for AD authentication between a workstation and AD server to generate a lot of ICMP traffic? I have a network intrusion prevention in place that is constantly detecting huge amount of ICMP / ping traffic from AD to workstation; vice versa. So much so that it detects them as 'flood' attack.
I've checked on both the AD and workstation both seems to be fine. No trojans, viruses, malware and the endpoint protection is working fine.
Any opinions on this kind of behavior? Possible false positives?
There really shouldn't be much ICMP traffic during a typical client logon to AD. It is really only used for slow link detection, and it's hardly enough to trigger an ICMP flood alert on most sane IPS systems.
Do you have any logon scripts that have ping loops to make sure that servers and the client network link are up before accessing network resources? That's a pretty common trick, and could cause the behavior that you're seeing.
Perhaps your AD server is also your DHCP server?
It is common for a DHCP server to ping addresses before offering them up as new leases.
http://technet.microsoft.com/en-us/library/dd380200(v=ws.10).aspx
However, this shouldn't generate too many packets. (Though if you have very low lease times and a lot of turn over, it could show up.)
You might be seeing the slow link detection that group policy does. It will transmit very large icmp packets that end up getting fragmented to determine if the user is logging in over a slow link or not.
Check out:
http://support.microsoft.com/kb/227260
and
http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx