UPC broadband - ongoing echo requests

Dum_Dum · 06-06-2012 10:31PM #1

For years now my firewall has picked up frequent bursts of ICMP echo requests from various disparate sources on the net. The bursts last only a few minutes and consist of about 6-10 different hosts at a time sending the requests every few seconds.

Even when my IP address changes (or I force a change) the same pattern repeats.

What's the point of these probes?

Jun  6 22:26:38 HOSTNAME pf: 667416 rule 181/0(match): block in on em1: (tos 0x0, ttl 1, id 61482, offset 0, flags [none], proto ICMP (1), length 28) 14.0.33.197 > MY_CURRENT_IP: ICMP echo request, id 43106, seq 10, length 8
Jun  6 22:26:38 HOSTNAME pf: 525231 rule 181/0(match): block in on em1: (tos 0x0, ttl 3, id 47986, offset 0, flags [none], proto ICMP (1), length 28) 174.35.5.35 > MY_CURRENT_IP: ICMP echo request, id 62286, seq 10, length 8
Jun  6 22:26:39 HOSTNAME pf: 489993 rule 181/0(match): block in on em1: (tos 0x0, ttl 22, id 61546, offset 0, flags [none], proto ICMP (1), length 28) 174.35.67.60 > MY_CURRENT_IP: ICMP echo request, id 29501, seq 0, length 8
Jun  6 22:26:39 HOSTNAME pf: 190674 rule 181/0(match): block in on em1: (tos 0x0, ttl 5, id 37386, offset 0, flags [none], proto ICMP (1), length 28) 125.29.53.94 > MY_CURRENT_IP: ICMP echo request, id 50979, seq 14, length 8
Jun  6 22:26:39 HOSTNAME pf: 209938 rule 100/0(match): block in on em1: (tos 0x0, ttl 7, id 45671, offset 0, flags [none], proto ICMP (1), length 28) 221.139.107.157 > MY_CURRENT_IP: ICMP echo request, id 10226, seq 21, length 8
Jun  6 22:26:39 HOSTNAME pf: 087902 rule 181/0(match): block in on em1: (tos 0x0, ttl 2, id 38000, offset 0, flags [none], proto ICMP (1), length 28) 174.35.92.68 > MY_CURRENT_IP: ICMP echo request, id 38295, seq 13, length 8
Jun  6 22:26:41 HOSTNAME pf: 1. 815864 rule 181/0(match): block in on em1: (tos 0x0, ttl 6, id 47943, offset 0, flags [none], proto ICMP (1), length 28) 175.41.1.14 > MY_CURRENT_IP: ICMP echo request, id 33036, seq 20, length 8

JimmyCrackCorn · 07-06-2012 06:38AM

Someone doing ping sweeps looking for hosts.

Malware doing its thing.

Background noise is just a fact of life on the internet.

BaconZombie · 07-06-2012 04:45PM

To be RFC compliant people should not block ICMP packets.

schrodinger · 13-06-2012 03:59PM

BaconZombie wrote: »

To be RFC compliant people should not block ICMP packets.

Your reply may be disingenuous. There is a case of being protocol compliant and then the recommendations of the RFC documents, or just down right "Because the RFC told you so".

An example of being a specific TYPE of ICMP packet that MUST BE permitted to be RFC compliant would be RFC 2979 - 3.1.1. Path MTU Discovery and ICMP.

However, I don't believe this helps the OP but should be stated anyway in case people start thinking that permitting things like ICMP REDIRECT is a MUST for RFC compliance - where one might not need to accept ICMP REDIRECT packets at all.

There is a rather long list of ICMP TYPES. Usually the (better) rule of thumb is to permit what is 'useful ICMP' for your environment and then rate limit those that you permit.

infodox · 13-06-2012 08:40PM

Just whitelist. Allow known-good, prohibit all else. Sure, according to the RFC's, your coffee machine has to comply with the COFFEE/HTTP Protocol! http://www.ietf.org/rfc/rfc2324.txt

As for PMTUD... Ugh. Get rid of it. I won't bother getting into it, but "Silence on the wire" explains why it is silly.

*note, obviously not being serious about the coffee protocol, but it IS a RFC

UPC broadband - ongoing echo requests

Comments