Strange ICMP packets

[JC]

Archived from groups: comp.security.firewalls (More info?)

Hi,

I have noticed over the past few weeks a slow build up of reports of ICMP
packets being blocked by my firewall. The firewall reports follow the pattern
below:-

ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -

The firewall drops them as 'Destination Unreachable' since port 1 doesn't exist
on the firewall. I know that they aren't pings but I am puzzled as to what
they are. My concern is that they may be legit traffic that is being blocked.

Are others seeing these packets also? Can anyone tell me what these packets
are?
--

Cheers . . . JC

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

JC <jhoppyc@westnet.com.invalid> wrote in
news:stqii11n4e9is5g5o5q0r1dgcrlje1or4c@4ax.com:

> Hi,
>
> I have noticed over the past few weeks a slow build up of reports of
> ICMP packets being blocked by my firewall. The firewall reports
> follow the pattern below:-
>
> ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z,
> 1, LAN -
>
> The firewall drops them as 'Destination Unreachable' since port 1
> doesn't exist on the firewall.

That just means that the packet filter/personal FW is dropping the
unsolicited inbound packets and is sending back the proper response to the
requester of 'Destination Unreachable'. There is a port 1 TCP/UDP but since
the traffic is unsolicited, the packets are being dropped by the packet
filter/personal FW.

> I know that they aren't pings but I
> am puzzled as to what they are. My concern is that they may be legit
> traffic that is being blocked.

If the traffic is being dropped by the packet filter/PFW, it's unsolicited
inbound traffic the FW packet filter/PFW should not be letting through to
the machine.

You should find out who the IP belongs to with Arin Whois by entering the
IP into the Whois search block. You should make the determination if the IP
is a legit IP -- most likely it is not a legit IP.

http://www.arin.net/index.html

You should be happy that the unsolicited inbound traffic is being blocked
and forget about it.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

JC <jhoppyc@westnet.com.invalid> wrote:
> packets being blocked by my firewall. The firewall reports follow the pattern
> below:-
> ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -
> The firewall drops them as 'Destination Unreachable' since port 1 doesn't exist
> on the firewall.

ICMP has no port concept whatsoever.

> I know that they aren't pings but I am puzzled as to what
> they are. My concern is that they may be legit traffic that is being blocked.
> Are others seeing these packets also? Can anyone tell me what these packets
> are?

Please read RFC 792, http://www.rfc-editor.org

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<stqii11n4e9is5g5o5q0r1dgcrlje1or4c@4ax.com>, JC wrote:

>I have noticed over the past few weeks a slow build up of reports of ICMP
>packets being blocked by my firewall. The firewall reports follow the
>pattern below:-
>
>ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -
>
>The firewall drops them as 'Destination Unreachable' since port 1 doesn't
>exist on the firewall.

There are one hundred forty different protocols using IP, such as TCP, UDP,
ICMP, IGMP, BGP, XNS, Banyan Vines, Compaq Peer Protocol... and only a few
use port numbers - ICMP is not one of them. See RFC0792.

0792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)

Your firewall (in common with many others) reports ICMP with the type
number displayed as the source port, and the 'code' displayed as the
destination port. This _should_ be explained in the documentation for
your firewall.

>I know that they aren't pings but I am puzzled as to what they are.

ICMP Type 3 code 1 - Host unreachable.

>My concern is that they may be legit traffic that is being blocked.

Normally, a remote router will reply with ICMP Type 3 code 1 when you
send a packet attempting to connect to a host that does not exist, or
exists but is turned off/disconnected/dead/wedged. In ICMP, the 'source'
IP address is the remote (router or host), and the destination IP is
the system that sent the original packet that caused the problem. You
need to review your outbound traffic, and find what host is sending
the original traffic to an unreachable host. If your system is not
NATing, or Port Forwarding, the problem lies on the host given as
the destination IP in the ICMP packet. If you looked inside the ICMP
packet with a packet sniffer, you will find the header of the packet
that caused the problem.

>Are others seeing these packets also?

No

>Can anyone tell me what these packets are?

One of your hosts - probably behind the firewall - is mis-configured, or
is sending traffic to a host that doesn't want to speak to you.

Old guy

 

[JC]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 15 Sep 2005 15:03:29 -0500, ibuprofin@painkiller.example.tld (Moe Trin)
wrote:

>In the Usenet newsgroup comp.security.firewalls, in article
><stqii11n4e9is5g5o5q0r1dgcrlje1or4c@4ax.com>, JC wrote:
>
>>I have noticed over the past few weeks a slow build up of reports of ICMP
>>packets being blocked by my firewall. The firewall reports follow the
>>pattern below:-
>>
>>ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -
>>
>>The firewall drops them as 'Destination Unreachable' since port 1 doesn't
>>exist on the firewall.

<snip>

>Your firewall (in common with many others) reports ICMP with the type
>number displayed as the source port, and the 'code' displayed as the
>destination port. This _should_ be explained in the documentation for
>your firewall.

I looked back through the docs and it is there - "The TCP or UDP port number or
ICMP code follows the IP address". Thanks for pointing me to it.

>>I know that they aren't pings but I am puzzled as to what they are.
>
>ICMP Type 3 code 1 - Host unreachable.
>
>>My concern is that they may be legit traffic that is being blocked.
>
>Normally, a remote router will reply with ICMP Type 3 code 1 when you
>send a packet attempting to connect to a host that does not exist, or
>exists but is turned off/disconnected/dead/wedged. In ICMP, the 'source'
>IP address is the remote (router or host), and the destination IP is
>the system that sent the original packet that caused the problem. You
>need to review your outbound traffic, and find what host is sending
>the original traffic to an unreachable host. If your system is not
>NATing, or Port Forwarding, the problem lies on the host given as
>the destination IP in the ICMP packet. If you looked inside the ICMP
>packet with a packet sniffer, you will find the header of the packet
>that caused the problem.

I have a single PC connected on the LAN side of a Sonicwall TZ170 firewall. I
am soon to add a 2nd multi-media PC to the LAN. I run NAV daily and Ad-aware
and SpyBot bi-weekly on the PC and none report any "funnies".

About 70% of these return packets arrive while my PC is turned off with only the
firewall and modem active. Does this mean that someone is spoofing my IP
address and causing the problem?

I am not how to go about sniffing the incoming ICMP packet as it is dropped by
the firewall before it gets to my PC. I am assuming that the sniffer would
need to be on the WAN side of the firewall.

Would turning ON the Windows Firewall logging help here as it would give me some
clues to any packets going out to the addresses sending back the ICMP Type 3
code 1 packets.

Thanks for your help Old guy, I appreciate it.
--

Cheers . . . JC

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>
> About 70% of these return packets arrive while my PC is turned off with
> only the
> firewall and modem active. Does this mean that someone is spoofing my
> IP
> address and causing the problem?

If the machine is turned off, there is no traffic so how can something be
spoofing traffic? In addition to that, the Sonicwall should be doing
Stateful Packet Inspection (SPI) that should be preventing IP spoofing and
several other types of attacks.

>
> I am not how to go about sniffing the incoming ICMP packet as it is
> dropped by
> the firewall before it gets to my PC. I am assuming that the sniffer
> would
> need to be on the WAN side of the firewall.

Traffic or packet sniffing is about traffic leaving a computer the sniffer
such as Ethereal (free) would be installed on the computer in question to
review all outbound traffic leaving the computer.

>
> Would turning ON the Windows Firewall logging help here as it would give
> me some
> clues to any packets going out to the addresses sending back the ICMP Type
> 3
> code 1 packets.

Doesn't the Sonicwall TZ170 have logging? That's what you should be using
is the router's syslogs to get an accurate picture of traffic to/from the
router or to/from the WAN and LAN.

You can use Wallwatcher and view in real time all inbound traffic from
remote IP(s) and all outbound traffic from LAN IP(s) /machines -- all
traffic to or from the router *Blocked and not Blocked* traffic -- ICMP or
non ICMP traffic blocked or not blocked, along with setting various alert
conditions that Wallwatcher will alert you on like an remote IP is being
blocked an it's alerting you that it has happened like 60 times in a 15
second time frame as an example.

http://www.sonic.net/wallwatcher/#Routers

Duane