Strange ICMP packets

Archived from groups: comp.security.firewalls (More info?)

Hi,

I have noticed over the past few weeks a slow build up of reports of ICMP
packets being blocked by my firewall. The firewall reports follow the pattern
below:-

ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -

The firewall drops them as 'Destination Unreachable' since port 1 doesn't exist
on the firewall. I know that they aren't pings but I am puzzled as to what
they are. My concern is that they may be legit traffic that is being blocked.

Are others seeing these packets also? Can anyone tell me what these packets
are?
--

Cheers . . . JC
5 answers Last reply
More about strange icmp packets
  1. Archived from groups: comp.security.firewalls (More info?)

    JC <jhoppyc@westnet.com.invalid> wrote in
    news:stqii11n4e9is5g5o5q0r1dgcrlje1or4c@4ax.com:

    > Hi,
    >
    > I have noticed over the past few weeks a slow build up of reports of
    > ICMP packets being blocked by my firewall. The firewall reports
    > follow the pattern below:-
    >
    > ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z,
    > 1, LAN -
    >
    > The firewall drops them as 'Destination Unreachable' since port 1
    > doesn't exist on the firewall.

    That just means that the packet filter/personal FW is dropping the
    unsolicited inbound packets and is sending back the proper response to the
    requester of 'Destination Unreachable'. There is a port 1 TCP/UDP but since
    the traffic is unsolicited, the packets are being dropped by the packet
    filter/personal FW.

    > I know that they aren't pings but I
    > am puzzled as to what they are. My concern is that they may be legit
    > traffic that is being blocked.

    If the traffic is being dropped by the packet filter/PFW, it's unsolicited
    inbound traffic the FW packet filter/PFW should not be letting through to
    the machine.

    You should find out who the IP belongs to with Arin Whois by entering the
    IP into the Whois search block. You should make the determination if the IP
    is a legit IP -- most likely it is not a legit IP.

    http://www.arin.net/index.html

    You should be happy that the unsolicited inbound traffic is being blocked
    and forget about it.

    Duane :)
  2. Archived from groups: comp.security.firewalls (More info?)

    JC <jhoppyc@westnet.com.invalid> wrote:
    > packets being blocked by my firewall. The firewall reports follow the pattern
    > below:-
    > ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -
    > The firewall drops them as 'Destination Unreachable' since port 1 doesn't exist
    > on the firewall.

    ICMP has no port concept whatsoever.

    > I know that they aren't pings but I am puzzled as to what
    > they are. My concern is that they may be legit traffic that is being blocked.
    > Are others seeing these packets also? Can anyone tell me what these packets
    > are?

    Please read RFC 792, http://www.rfc-editor.org

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  3. Archived from groups: comp.security.firewalls (More info?)

    In the Usenet newsgroup comp.security.firewalls, in article
    <stqii11n4e9is5g5o5q0r1dgcrlje1or4c@4ax.com>, JC wrote:

    >I have noticed over the past few weeks a slow build up of reports of ICMP
    >packets being blocked by my firewall. The firewall reports follow the
    >pattern below:-
    >
    >ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -
    >
    >The firewall drops them as 'Destination Unreachable' since port 1 doesn't
    >exist on the firewall.

    There are one hundred forty different protocols using IP, such as TCP, UDP,
    ICMP, IGMP, BGP, XNS, Banyan Vines, Compaq Peer Protocol... and only a few
    use port numbers - ICMP is not one of them. See RFC0792.

    0792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
    (Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
    (Also STD0005) (Status: STANDARD)

    Your firewall (in common with many others) reports ICMP with the type
    number displayed as the source port, and the 'code' displayed as the
    destination port. This _should_ be explained in the documentation for
    your firewall.

    >I know that they aren't pings but I am puzzled as to what they are.

    ICMP Type 3 code 1 - Host unreachable.

    >My concern is that they may be legit traffic that is being blocked.

    Normally, a remote router will reply with ICMP Type 3 code 1 when you
    send a packet attempting to connect to a host that does not exist, or
    exists but is turned off/disconnected/dead/wedged. In ICMP, the 'source'
    IP address is the remote (router or host), and the destination IP is
    the system that sent the original packet that caused the problem. You
    need to review your outbound traffic, and find what host is sending
    the original traffic to an unreachable host. If your system is not
    NATing, or Port Forwarding, the problem lies on the host given as
    the destination IP in the ICMP packet. If you looked inside the ICMP
    packet with a packet sniffer, you will find the header of the packet
    that caused the problem.

    >Are others seeing these packets also?

    No

    >Can anyone tell me what these packets are?

    One of your hosts - probably behind the firewall - is mis-configured, or
    is sending traffic to a host that doesn't want to speak to you.

    Old guy
  4. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 15 Sep 2005 15:03:29 -0500, ibuprofin@painkiller.example.tld (Moe Trin)
    wrote:

    >In the Usenet newsgroup comp.security.firewalls, in article
    ><stqii11n4e9is5g5o5q0r1dgcrlje1or4c@4ax.com>, JC wrote:
    >
    >>I have noticed over the past few weeks a slow build up of reports of ICMP
    >>packets being blocked by my firewall. The firewall reports follow the
    >>pattern below:-
    >>
    >>ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -
    >>
    >>The firewall drops them as 'Destination Unreachable' since port 1 doesn't
    >>exist on the firewall.

    <snip>

    >Your firewall (in common with many others) reports ICMP with the type
    >number displayed as the source port, and the 'code' displayed as the
    >destination port. This _should_ be explained in the documentation for
    >your firewall.

    I looked back through the docs and it is there - "The TCP or UDP port number or
    ICMP code follows the IP address". Thanks for pointing me to it.

    >>I know that they aren't pings but I am puzzled as to what they are.
    >
    >ICMP Type 3 code 1 - Host unreachable.
    >
    >>My concern is that they may be legit traffic that is being blocked.
    >
    >Normally, a remote router will reply with ICMP Type 3 code 1 when you
    >send a packet attempting to connect to a host that does not exist, or
    >exists but is turned off/disconnected/dead/wedged. In ICMP, the 'source'
    >IP address is the remote (router or host), and the destination IP is
    >the system that sent the original packet that caused the problem. You
    >need to review your outbound traffic, and find what host is sending
    >the original traffic to an unreachable host. If your system is not
    >NATing, or Port Forwarding, the problem lies on the host given as
    >the destination IP in the ICMP packet. If you looked inside the ICMP
    >packet with a packet sniffer, you will find the header of the packet
    >that caused the problem.

    I have a single PC connected on the LAN side of a Sonicwall TZ170 firewall. I
    am soon to add a 2nd multi-media PC to the LAN. I run NAV daily and Ad-aware
    and SpyBot bi-weekly on the PC and none report any "funnies".

    About 70% of these return packets arrive while my PC is turned off with only the
    firewall and modem active. Does this mean that someone is spoofing my IP
    address and causing the problem?

    I am not how to go about sniffing the incoming ICMP packet as it is dropped by
    the firewall before it gets to my PC. I am assuming that the sniffer would
    need to be on the WAN side of the firewall.

    Would turning ON the Windows Firewall logging help here as it would give me some
    clues to any packets going out to the addresses sending back the ICMP Type 3
    code 1 packets.

    Thanks for your help Old guy, I appreciate it.
    --

    Cheers . . . JC
  5. Archived from groups: comp.security.firewalls (More info?)

    >
    > About 70% of these return packets arrive while my PC is turned off with
    > only the
    > firewall and modem active. Does this mean that someone is spoofing my
    > IP
    > address and causing the problem?

    If the machine is turned off, there is no traffic so how can something be
    spoofing traffic? In addition to that, the Sonicwall should be doing
    Stateful Packet Inspection (SPI) that should be preventing IP spoofing and
    several other types of attacks.

    >
    > I am not how to go about sniffing the incoming ICMP packet as it is
    > dropped by
    > the firewall before it gets to my PC. I am assuming that the sniffer
    > would
    > need to be on the WAN side of the firewall.

    Traffic or packet sniffing is about traffic leaving a computer the sniffer
    such as Ethereal (free) would be installed on the computer in question to
    review all outbound traffic leaving the computer.

    >
    > Would turning ON the Windows Firewall logging help here as it would give
    > me some
    > clues to any packets going out to the addresses sending back the ICMP Type
    > 3
    > code 1 packets.

    Doesn't the Sonicwall TZ170 have logging? That's what you should be using
    is the router's syslogs to get an accurate picture of traffic to/from the
    router or to/from the WAN and LAN.

    You can use Wallwatcher and view in real time all inbound traffic from
    remote IP(s) and all outbound traffic from LAN IP(s) /machines -- all
    traffic to or from the router *Blocked and not Blocked* traffic -- ICMP or
    non ICMP traffic blocked or not blocked, along with setting various alert
    conditions that Wallwatcher will alert you on like an remote IP is being
    blocked an it's alerting you that it has happened like 60 times in a 15
    second time frame as an example.

    http://www.sonic.net/wallwatcher/#Routers

    Duane :)
Ask a new question

Read More

Firewalls Security Networking