0

Even after running

iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j DROP

I keep getting ICMP type 3 code 13 packets on tcpdump. when I run tcpdump icmp, I get messages like:

19:41:31.923630 IP NAMESOURCE  > MY_NAME: ICMP net IP_SOURCE unreachable, length 76

My question is, How can I get rid of this packets?

Btw, I'm getting this packets from multiple sources, which leads me to think this might be some kind of (D)DoS. But I'm not sure which role I'm playing on this.

Also, snort keeps giving alerts:

[**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3] 
05/02-19:44:20.171298 SOURCE_IP -> MY_IP
ICMP TTL:238 TOS:0x0 ID:13584 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
MY_IP:47541 -> SOURCE_IP:8080
TCP TTL:47 TOS:0x0 ID:22750 IpLen:20 DgmLen:60 DF
Seq: 0x5EB7CF7A
** END OF DUMP
Diogo Melo
  • 162
  • 1
  • 7

2 Answers2

2

I'd hazard a guess (hard to be sure without more investigation) that someone is spoofing your IP as a source and you're getting the return traffic.

Remember that tcpdump examines the "wire" (ie, BEFORE iptables) so you'll still see the traffic in tcpdump even if iptables is dropping the traffic.

You can't stop the packets coming to you (your provider needs to do that), all you can do is drop them to minimize the impact on your host.

fukawi2
  • 5,327
  • 3
  • 30
  • 51
  • 2
    What I tend to do is to rate limit them. Something like: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.icmp-ratelimit.html – hookenz May 03 '13 at 00:07
  • I wasn't going to go into the bikeshed of drop or not to drop ICMP. But FWIW, I agree. ICMP exists for a reason and does serve a purpose so it's best to rate-limit rather than flat-out drop them. – fukawi2 May 03 '13 at 00:19
1

Remember that the iptables rules are processed in the order given, so if the chain returns before it reaches your rule it won't have an effect.

Be careful, ICMP is critical for the working of the 'net, it is used to tell you that some connection worn't work among a long list of other error messages. To swamp any reasonable machine via ICMP would take quite some ingenuity from a miscreant, don't worry too much about this.

vonbrand
  • 1,153
  • 2
  • 8
  • 16
  • Thanks for your reply. The iptables chain for input is this dropping all ICMP. There is no accept icmp of any kind on the entire chain. I'm not sure what is happening. I got a report from Amazon, saying that our VPS is port scanning other hosts. So I think, someone is forging ICMP packets with my IP as the source/reply-to. – Diogo Melo May 02 '13 at 21:06