• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Strange ICMP acitivity on Firewall

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Gil
Just Arrived
Just Arrived


Joined: 16 Jun 2010
Posts: 0


Offline

PostPosted: Wed Jun 16, 2010 7:57 pm    Post subject: Strange ICMP acitivity on Firewall Reply with quote

Greetings all, and thanks in advance for viewing and responding.

I have a strange situation, ICMP requests egressing on my firewall's WAN port are going to a China telecom mobile device.

I know that there are not any users on the system that would be doing such a thing. I realize I could create a rule to block the traffic, but I really want to track down what's going on. Below, find the info packet from my firewall logs (WAN ip address redacted):

06/16/2010 10:06:11.192 - Info - Network Access - ICMP packet allowed - Src - WAN ip address, 3, X1 - Dest - 221.130.140.18, 3, X1 - ICMP Destination Unreachable, Code: 3

Any thoughts? Also, any procedures you might suggest to track this down.

Thank you.
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Thu Jun 17, 2010 2:10 am    Post subject: Reply with quote

Your firewall is logging ICMP type 3, code 3 packets ("destination unreachable", specifically "port unreachable"). These aren't ICMP requests; they are ICMP error responses.

ICMP port unreachable packets are sent, most notably, by the UDP protocol stack, when a connection request arrives for a port that doesn't have anything listening on it. This would be the equivalent of the TCP's RST packet.

Basically this means someone in China is trying to access some UDP port(s) on your system, and your system is replying to them with the standard "there isn't anything here" error message. They're either port scanning you, and your firewall is configured to allow unsolicited UDP through instead of dropping it, or they're trying to access a legitimate service (which is being correctly allowed by your firewall) and your server is down for some reason.

Either that, or someone on your internal network is actually generating false error messages in an attempt to somehow disrupt the Chinese telecom mobile device.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register