5

I'm investigating a server that pings throughout the day to random IPs on the internet. I set up IPtables to log and drop (INPUT & OUTPUT) packets but I still see icmp traffic on the network firewall. I can't seem to track the process that is initiating these.

Looked at a lot of questions regarding network traffic with tcp/upd ports but icmp does not use ports.

Find out what Linux software is trying to phone home

https://unix.stackexchange.com/questions/306524/monitor-which-application-generate-icmp-ping-traffic

I've tried iptables, tcpdump, lsof, and netstat. I've probably not used them correctly or quick icmp packets are hard to trace down.

Red Hat Linux 5.x VM and I can't upgrade because it runs legacy web pages

Here is a pastebin link to the IP list

Chain OUTPUT (policy ACCEPT 2129K packets, 1555M bytes) pkts bytes target prot opt in out source destination 2834 248K LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 8 level 4 2834 248K DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0

Dec  6 14:51:41 xx kernel: IN=eth0 OUT= MAC=00:0c:29 SRC=72.204.209.197 
DST=x LEN=96 TOS=0x00 PREC=0x00 TTL=252 ID=29693 PROTO=ICMP TYPE=3 CODE=13 
[SRC=x DST=192.168.224.161 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=56354 DF PROTO=TCP SPT=53646 DPT=17778 WINDOW=5840 RES=0x00 SYN URGP=0 ]
ssvegeta96
  • 51
  • 3
  • What's most troubling is that you blocked them with the local firewall but you are seeing them on the network firewall. That tells me something else is going on or you have a misunderstanding somewhere. – schroeder Dec 06 '17 at 22:45
  • well the server has 1 IP I check that IP on the firewall... and what do i see icmp..... and as u can see from the IPtable its dropping packets..... so idk. Im going to add logged messages as well just incase – ssvegeta96 Dec 06 '17 at 23:03
  • added it although thats a drop inbound which are blocked as well. – ssvegeta96 Dec 06 '17 at 23:11
  • can you confirm that the packets are coming from the port the server is connected to on the switch/router? It's possible if you're seeing the packet at the network FW but not local, something could be spoofing the source IP in the ping (not sure what the goal of that would be though). – K.B. Dec 07 '17 at 15:59
  • thats a good point. il look into it. UPDATE: i added this to the system to stop replies http://www.thegeekstuff.com/2010/07/how-to-disable-ping-replies-in-linux/ and still traffic on the firewall – ssvegeta96 Dec 07 '17 at 17:29
  • How about your inbound rules? What are they like? If INPUT does properly block them from coming in you may continue to have issues. – cybernard Dec 13 '17 at 00:51
  • Input rules have been in place and they show traffic being dropped. `Chain INPUT (policy ACCEPT 1912K packets, 1409M bytes) pkts bytes target prot opt in out source destination 0 0 LOG icmp -- * * xx.0.0/16 0.0.0.0/0 LOG flags 0 level 4 0 0 ACCEPT icmp -- * * xx.0.0/16 0.0.0.0/0 2203 97058 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 8 level 4 2203 97058 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0` – ssvegeta96 Dec 14 '17 at 18:13

1 Answers1

3

Given that one packet in the log snippet above, your system is not "pinging" random IPs on the internet. "Pinging" refers to ICMP type 8, an echo request. Looking closer at the packet:

PROTO=ICMP TYPE=3 CODE=13

Type 3 is Destination Unreachable (RFC792), and code 13 is Communication administratively prohibited (RFC1812). So this means your server is not reaching out to remote hosts, but rather is sending these ICMP messages in response to some traffic that is reaching it, which it appears to be refusing to forward. Without seeing the traffic that prompted these control messages, it is difficult to know exactly what is going on. I suggest that you look for anomalous traffic with matching addresses that immediately precedes these ICMP messages.

Community
  • 1
multithr3at3d
  • 12,355
  • 3
  • 29
  • 42