February 2nd, 2004, 08:27 PM
I have a newbie question I was hoping to maybe find an answer here.
I have alot of ICMP traffic in my routers logs and was hoping someone could tell me more about it : )
Drop ICMP packet from WAN src:18.104.22.168:3 dst:216.xxx.xxx.xxx:3
This is the one of the orginating IP...I assume coming in from PORT 3 and trying to come into PORTs 3, 10 13 on my router.
I am receiving alot of this traffic...that is why I have posted??
I have never have seen this before.
Can someone enlighten me ???
February 2nd, 2004, 08:49 PM
ICMP does not have ports but rather types. The type indicates the message and the messages pertaining to each type can be found here.
So type 3 is "Destination unreachable" and would therefore be a reply to an ICMP message your system sent out, (or someone is spoofing your IP address).
Type 10 is a router solicitation = a system looking for a router to use IIRC.
Type 13 id a Timestamp. I don;t recall ever seeing on of these so something may be a little awry.... anyone help me out here?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
February 2nd, 2004, 09:07 PM
DOH, you beat me to it while I was looking up links for him..
AFAIK, the "port" number listed in those firewall logs is not really the port number with ICMP as it would be with TCP or UDP. that "port" number is really the type of ICMP message recieved.
ICMP type 3 == destination unreachable
ICMP type 10 == router solicitation
ICMP type 13 == timestamp request
The destination unreachables are not unusual at all, unless you happen to know for a fact that your machine/network is not sending any traffic to the ip which is unreachable, in which case it is probably a secondary affect of someone spoofing your IP for something or other. Or I suppose they could have been trying to find out how your machine would respond to unsolicited destination unreachables, I dont know really.
The timestamp one seems a bit odd, but it might be normal traffic, I dont know.
The router solicitation seems very odd, as from my brief look at info about it that is usually traffic meant for the local network, no idea why it would arrive at your machine over the internet.
February 2nd, 2004, 09:44 PM
Thank you so much for your responses.
I am concerned as I am receiving ALOT of this in my logs from various IPs.
Am continuing to investigate and appreciate your links....