UPC broadband - ongoing echo requests - boards.ie
Boards.ie uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Click here to find out more x
Post Reply  
 
Thread Tools Search this Thread
06-06-2012, 22:31   #1
Dum_Dum
Registered User
 
Join Date: Apr 2008
Location: Waterford City
Posts: 324
UPC broadband - ongoing echo requests

For years now my firewall has picked up frequent bursts of ICMP echo requests from various disparate sources on the net. The bursts last only a few minutes and consist of about 6-10 different hosts at a time sending the requests every few seconds.

Even when my IP address changes (or I force a change) the same pattern repeats.

What's the point of these probes?

Code:
Jun  6 22:26:38 HOSTNAME pf: 667416 rule 181/0(match): block in on em1: (tos 0x0, ttl 1, id 61482, offset 0, flags [none], proto ICMP (1), length 28) 14.0.33.197 > MY_CURRENT_IP: ICMP echo request, id 43106, seq 10, length 8
Jun  6 22:26:38 HOSTNAME pf: 525231 rule 181/0(match): block in on em1: (tos 0x0, ttl 3, id 47986, offset 0, flags [none], proto ICMP (1), length 28) 174.35.5.35 > MY_CURRENT_IP: ICMP echo request, id 62286, seq 10, length 8
Jun  6 22:26:39 HOSTNAME pf: 489993 rule 181/0(match): block in on em1: (tos 0x0, ttl 22, id 61546, offset 0, flags [none], proto ICMP (1), length 28) 174.35.67.60 > MY_CURRENT_IP: ICMP echo request, id 29501, seq 0, length 8
Jun  6 22:26:39 HOSTNAME pf: 190674 rule 181/0(match): block in on em1: (tos 0x0, ttl 5, id 37386, offset 0, flags [none], proto ICMP (1), length 28) 125.29.53.94 > MY_CURRENT_IP: ICMP echo request, id 50979, seq 14, length 8
Jun  6 22:26:39 HOSTNAME pf: 209938 rule 100/0(match): block in on em1: (tos 0x0, ttl 7, id 45671, offset 0, flags [none], proto ICMP (1), length 28) 221.139.107.157 > MY_CURRENT_IP: ICMP echo request, id 10226, seq 21, length 8
Jun  6 22:26:39 HOSTNAME pf: 087902 rule 181/0(match): block in on em1: (tos 0x0, ttl 2, id 38000, offset 0, flags [none], proto ICMP (1), length 28) 174.35.92.68 > MY_CURRENT_IP: ICMP echo request, id 38295, seq 13, length 8
Jun  6 22:26:41 HOSTNAME pf: 1. 815864 rule 181/0(match): block in on em1: (tos 0x0, ttl 6, id 47943, offset 0, flags [none], proto ICMP (1), length 28) 175.41.1.14 > MY_CURRENT_IP: ICMP echo request, id 33036, seq 20, length 8
Dum_Dum is offline  
Advertisement
07-06-2012, 06:38   #2
JimmyCrackCorn
Moderator
 
Join Date: Jan 2010
Location: Bondi Beach
Posts: 1,521
Someone doing ping sweeps looking for hosts.

Malware doing its thing.


Background noise is just a fact of life on the internet.
JimmyCrackCorn is offline  
07-06-2012, 16:45   #3
BaconZombie
/dev/random
 
BaconZombie's Avatar
 
Join Date: Jan 2007
Posts: 9,920
To be RFC compliant people should not block ICMP packets.
BaconZombie is offline  
13-06-2012, 15:59   #4
schrodinger
Registered User
 
schrodinger's Avatar
 
Join Date: Jun 2001
Posts: 310
Send a message via ICQ to schrodinger Send a message via MSN to schrodinger
Quote:
Originally Posted by BaconZombie View Post
To be RFC compliant people should not block ICMP packets.
Your reply may be disingenuous. There is a case of being protocol compliant and then the recommendations of the RFC documents, or just down right "Because the RFC told you so".

An example of being a specific TYPE of ICMP packet that MUST BE permitted to be RFC compliant would be RFC 2979 - 3.1.1. Path MTU Discovery and ICMP.

However, I don't believe this helps the OP but should be stated anyway in case people start thinking that permitting things like ICMP REDIRECT is a MUST for RFC compliance - where one might not need to accept ICMP REDIRECT packets at all.

There is a rather long list of ICMP TYPES. Usually the (better) rule of thumb is to permit what is 'useful ICMP' for your environment and then rate limit those that you permit.
schrodinger is offline  
Thanks from:
13-06-2012, 20:40   #5
infodox
Registered User
 
Join Date: Dec 2011
Location: On a wet, windy rock in the atlantic.
Posts: 122
Just whitelist. Allow known-good, prohibit all else. Sure, according to the RFC's, your coffee machine has to comply with the COFFEE/HTTP Protocol! http://www.ietf.org/rfc/rfc2324.txt

As for PMTUD... Ugh. Get rid of it. I won't bother getting into it, but "Silence on the wire" explains why it is silly.

*note, obviously not being serious about the coffee protocol, but it IS a RFC
infodox is offline  
Thanks from:
Post Reply

Quick Reply
Message:
Remove Text Formatting
Bold
Italic
Underline

Insert Image
Wrap [QUOTE] tags around selected text
 
Decrease Size
Increase Size
Please sign up or log in to join the discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search



Share Tweet