[Dum_Dum]

For years now my firewall has picked up frequent bursts of ICMP echo requests from various disparate sources on the net. The bursts last only a few minutes and consist of about 6-10 different hosts at a time sending the requests every few seconds.

Even when my IP address changes (or I force a change) the same pattern repeats.

What's the point of these probes?

Code:

Jun  6 22:26:38 HOSTNAME pf: 667416 rule 181/0(match): block in on em1: (tos 0x0, ttl 1, id 61482, offset 0, flags [none], proto ICMP (1), length 28) 14.0.33.197 > MY_CURRENT_IP: ICMP echo request, id 43106, seq 10, length 8
Jun  6 22:26:38 HOSTNAME pf: 525231 rule 181/0(match): block in on em1: (tos 0x0, ttl 3, id 47986, offset 0, flags [none], proto ICMP (1), length 28) 174.35.5.35 > MY_CURRENT_IP: ICMP echo request, id 62286, seq 10, length 8
Jun  6 22:26:39 HOSTNAME pf: 489993 rule 181/0(match): block in on em1: (tos 0x0, ttl 22, id 61546, offset 0, flags [none], proto ICMP (1), length 28) 174.35.67.60 > MY_CURRENT_IP: ICMP echo request, id 29501, seq 0, length 8
Jun  6 22:26:39 HOSTNAME pf: 190674 rule 181/0(match): block in on em1: (tos 0x0, ttl 5, id 37386, offset 0, flags [none], proto ICMP (1), length 28) 125.29.53.94 > MY_CURRENT_IP: ICMP echo request, id 50979, seq 14, length 8
Jun  6 22:26:39 HOSTNAME pf: 209938 rule 100/0(match): block in on em1: (tos 0x0, ttl 7, id 45671, offset 0, flags [none], proto ICMP (1), length 28) 221.139.107.157 > MY_CURRENT_IP: ICMP echo request, id 10226, seq 21, length 8
Jun  6 22:26:39 HOSTNAME pf: 087902 rule 181/0(match): block in on em1: (tos 0x0, ttl 2, id 38000, offset 0, flags [none], proto ICMP (1), length 28) 174.35.92.68 > MY_CURRENT_IP: ICMP echo request, id 38295, seq 13, length 8
Jun  6 22:26:41 HOSTNAME pf: 1. 815864 rule 181/0(match): block in on em1: (tos 0x0, ttl 6, id 47943, offset 0, flags [none], proto ICMP (1), length 28) 175.41.1.14 > MY_CURRENT_IP: ICMP echo request, id 33036, seq 20, length 8

[JimmyCrackCorn]

Someone doing ping sweeps looking for hosts.

Malware doing its thing.


Background noise is just a fact of life on the internet.

[BaconZombie]

To be RFC compliant people should not block ICMP packets.

[schrodinger]

Quote:

Originally Posted by BaconZombie

To be RFC compliant people should not block ICMP packets.

Your reply may be disingenuous. There is a case of being protocol compliant and then the recommendations of the RFC documents, or just down right "Because the RFC told you so".

An example of being a specific TYPE of ICMP packet that MUST BE permitted to be RFC compliant would be RFC 2979 - 3.1.1. Path MTU Discovery and ICMP.

However, I don't believe this helps the OP but should be stated anyway in case people start thinking that permitting things like ICMP REDIRECT is a MUST for RFC compliance - where one might not need to accept ICMP REDIRECT packets at all.

There is a rather long list of ICMP TYPES. Usually the (better) rule of thumb is to permit what is 'useful ICMP' for your environment and then rate limit those that you permit.

[infodox]

Just whitelist. Allow known-good, prohibit all else. Sure, according to the RFC's, your coffee machine has to comply with the COFFEE/HTTP Protocol! http://www.ietf.org/rfc/rfc2324.txt

As for PMTUD... Ugh. Get rid of it. I won't bother getting into it, but "Silence on the wire" explains why it is silly.

*note, obviously not being serious about the coffee protocol, but it IS a RFC