Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

UPC broadband - ongoing echo requests

  • 06-06-2012 9:31pm
    #1
    Closed Accounts Posts: 587 ✭✭✭


    For years now my firewall has picked up frequent bursts of ICMP echo requests from various disparate sources on the net. The bursts last only a few minutes and consist of about 6-10 different hosts at a time sending the requests every few seconds.

    Even when my IP address changes (or I force a change) the same pattern repeats.

    What's the point of these probes?
    Jun  6 22:26:38 HOSTNAME pf: 667416 rule 181/0(match): block in on em1: (tos 0x0, ttl 1, id 61482, offset 0, flags [none], proto ICMP (1), length 28) 14.0.33.197 > MY_CURRENT_IP: ICMP echo request, id 43106, seq 10, length 8
    Jun  6 22:26:38 HOSTNAME pf: 525231 rule 181/0(match): block in on em1: (tos 0x0, ttl 3, id 47986, offset 0, flags [none], proto ICMP (1), length 28) 174.35.5.35 > MY_CURRENT_IP: ICMP echo request, id 62286, seq 10, length 8
    Jun  6 22:26:39 HOSTNAME pf: 489993 rule 181/0(match): block in on em1: (tos 0x0, ttl 22, id 61546, offset 0, flags [none], proto ICMP (1), length 28) 174.35.67.60 > MY_CURRENT_IP: ICMP echo request, id 29501, seq 0, length 8
    Jun  6 22:26:39 HOSTNAME pf: 190674 rule 181/0(match): block in on em1: (tos 0x0, ttl 5, id 37386, offset 0, flags [none], proto ICMP (1), length 28) 125.29.53.94 > MY_CURRENT_IP: ICMP echo request, id 50979, seq 14, length 8
    Jun  6 22:26:39 HOSTNAME pf: 209938 rule 100/0(match): block in on em1: (tos 0x0, ttl 7, id 45671, offset 0, flags [none], proto ICMP (1), length 28) 221.139.107.157 > MY_CURRENT_IP: ICMP echo request, id 10226, seq 21, length 8
    Jun  6 22:26:39 HOSTNAME pf: 087902 rule 181/0(match): block in on em1: (tos 0x0, ttl 2, id 38000, offset 0, flags [none], proto ICMP (1), length 28) 174.35.92.68 > MY_CURRENT_IP: ICMP echo request, id 38295, seq 13, length 8
    Jun  6 22:26:41 HOSTNAME pf: 1. 815864 rule 181/0(match): block in on em1: (tos 0x0, ttl 6, id 47943, offset 0, flags [none], proto ICMP (1), length 28) 175.41.1.14 > MY_CURRENT_IP: ICMP echo request, id 33036, seq 20, length 8
    


Comments

  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    Someone doing ping sweeps looking for hosts.

    Malware doing its thing.


    Background noise is just a fact of life on the internet.


  • Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    To be RFC compliant people should not block ICMP packets.


  • Registered Users, Registered Users 2 Posts: 326 ✭✭schrodinger


    To be RFC compliant people should not block ICMP packets.

    Your reply may be disingenuous. There is a case of being protocol compliant and then the recommendations of the RFC documents, or just down right "Because the RFC told you so".

    An example of being a specific TYPE of ICMP packet that MUST BE permitted to be RFC compliant would be RFC 2979 - 3.1.1. Path MTU Discovery and ICMP.

    However, I don't believe this helps the OP but should be stated anyway in case people start thinking that permitting things like ICMP REDIRECT is a MUST for RFC compliance - where one might not need to accept ICMP REDIRECT packets at all.

    There is a rather long list of ICMP TYPES. Usually the (better) rule of thumb is to permit what is 'useful ICMP' for your environment and then rate limit those that you permit.


  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    Just whitelist. Allow known-good, prohibit all else. Sure, according to the RFC's, your coffee machine has to comply with the COFFEE/HTTP Protocol! http://www.ietf.org/rfc/rfc2324.txt

    As for PMTUD... Ugh. Get rid of it. I won't bother getting into it, but "Silence on the wire" explains why it is silly.

    *note, obviously not being serious about the coffee protocol, but it IS a RFC ;)


Advertisement