ICMP Port 3 Scans?

[Daniel]

I have a sonicwall firewall setup and for the last few days I've been getting scanned on port 3 from one other IP from my same provider once every second for the last 4 days. I've called them already days ago but they said they didn't know what it was.

I already was blocking it so the logs I get are just all the dropped packets but I'm now up to 5 full log emails a day with almost all that and I don't know what it is from. Does anyone know where that would be coming from or have any ideas what the deal in general is with it?

thanks,
Daniel

 

[spidey07]

can you give more details on the log message?

Is an "ICMP TYPE 3" packet?

 

[Daniel]

Surely...

2/5/2003 - Time - ICMP Packet Dropped - Source: Their IP, 3 - Destination: My ip, 3

That is pretty much every line in my logs, every minute for the last few days, just talked to the NOC at my provider and they are still looking into it.

Edit, that format shows it as port 3, not a type 3 although admittedly I don't know much of the difference in ICMP types.

 

[spidey07]

The full list (from RFC1700) is shown below:

Type Name Reference
---- ------------------------- ---------
0 Echo Reply [RFC792]
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
4 Source Quench [RFC792]
5 Redirect [RFC792]
6 Alternate Host Address [JBP]
7 Unassigned [JBP]
8 Echo [RFC792]
9 Router Advertisement [RFC1256]
10 Router Selection [RFC1256]
11 Time Exceeded [RFC792]
12 Parameter Problem [RFC792]
13 Timestamp [RFC792]
14 Timestamp Reply [RFC792]
15 Information Request [RFC792]
16 Information Reply [RFC792]
17 Address Mask Request [RFC950]
18 Address Mask Reply [RFC950]
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
37-255 Reserved [JBP]

no idea why you would get destination unreachibles unless you have some kind of spyware that is trying to talk to an IP/network/service that isn't responding.

 

[mboy]

I am no espert like Spidey, but isn't ICMP port 3 a return based error. Like your computer is looking to connect to that IP on port 3 or whatever and the ICMP is being kicked back saying that port is unreachable.

Again, the gurus would know better then me, but that is my slightly undereducated guess.

 

[spidey07]

More info on ICMP...

Many of these ICMP types have a "code" field. Here we list the types again with their assigned code fields.

Type Name
---- -------------------------
0 Echo Reply (used by "ping")
Codes
0 No Code
1 Unassigned
2 Unassigned
3 Destination Unreachable
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is
Administratively Prohibited
10 Communication with Destination Host is
Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
4 Source Quench
Codes
0 No Code
5 Redirect
Codes
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6 Alternate Host Address
Codes
0 Alternate Address for Host
7 Unassigned
8 Echo (used by "ping")
Codes
0 No Code
9 Router Advertisement
Codes
0 No Code
10 Router Selection
Codes
0 No Code
11 Time Exceeded
Codes
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12 Parameter Problem
Codes
0 Pointer indicates the error
1 Missing a Required Option
2 Bad Length
13 Timestamp
Codes
0 No Code
14 Timestamp Reply
Codes
0 No Code
15 Information Request
Codes
0 No Code
16 Information Reply
Codes
0 No Code
17 Address Mask Request
Codes
0 No Code
18 Address Mask Reply
Codes
0 No Code
19 Reserved (for Security)
20-29 Reserved (for Robustness Experiment)
30 Traceroute
31 Datagram Conversion Error
32 Mobile Host Redirect
33 IPv6 Where-Are-You
34 IPv6 I-Am-Here
35 Mobile Registration Request
36 Mobile Registration Reply

-------------------------
If you are getting a ICMP type 3, code 3 then that is "destination port unreachable". That means you are trying to talk to a computer on a specific udp/tcp port that is closed. The host will send you a "destination port unrachable".

Can you get a packet trace of the ICMP frame? The ICMP frame will also include the header of the original frame that caused the control message.

Me thinks you have something running on your machine that you are not aware of.

-edit- more technical network guru chest pounding...ICMP doesn't use a PORT persey because there really isn't any layer 4 with ICMP. PORT is something you use with UDP/TCP. ICMP is a control protocol and not a session or connection oriented protocol so there is no need for layer4.

 

[Daniel]

Hmm the only thing I can think of is we have one user that has Hotbar installed. I've explained how its spyware, etc.. and I was told to leave it as he "really likes the cool bar in outlook" ugh... think something like that might cause it?

 

[mboy]

Thats exactly where I was going Spidey
Looks like he is broadcasting something out to get that error.

Run the new adaware top make sure it isnt something spyware based, and also a trojan sanner (some have full 30day evaluation versions)

 

[spidey07]

To really get at the root cause you're gonna need to get packet traces of the sender and receiver.

Can you turn the logging into more detailed? Microsoft has a free packet sniffer as well as ethereal. You'd want to use this on the inside and outside of your firewall.

My advice is now turning into a billable service. Simply PM with your CC# or a PO.

 

[Daniel]

Unfortunately that is as detailed as the firewall logs get, I could check out a scanner though.

If anything it gives me some fuel to rip that freaking hotbar off his pc with a good reason.

thanks for the suggestions,
Daniel

 

[spidey07]

also remember that networks and the internet has some amount of "background noise". Stuff like this I don't worry about.

 

[Oaf357]

I'd be kicking my provider's ass if they said they didn't know what it was. If it's on their network it needs to get fixed. Just forward your log e-mails to them everyday, they'll want it to stop too.

 

[spidey07]

I really think it is something on his network trying to talk to a socket (host+port) that isn't open. If we could capture the actual ICMP packet it is easy to find out what the ICMP is replying to.

 

[mboy]

Originally posted by: Oaf357
I'd be kicking my provider's ass if they said they didn't know what it was. If it's on their network it needs to get fixed. Just forward your log e-mails to them everyday, they'll want it to stop too.

Do u think some clown at Optimum online cable or roadrunner cable is going to know what the hell he is even talking about

 

[Oaf357]

Originally posted by: mboy

Originally posted by: Oaf357
I'd be kicking my provider's ass if they said they didn't know what it was. If it's on their network it needs to get fixed. Just forward your log e-mails to them everyday, they'll want it to stop too.

Do u think some clown at Optimum online cable or roadrunner cable is going to know what the hell he is even talking about

I know that I had a similar problem (many more hosts and protocols but similar in nature) using RR not too long ago. I mounted up evidence, wrote a nice explanatory e-mail, then sent it to numerous addresses at RR. The problem was solved in under 72 hours. So yes, if you're professional about it and lay it all down, they'll have to do something because they know you know what you're talking about and they also know that they have competitors.

 

[Daniel]

I only got to work on it for a little while yesterday, ended up getting involved in an annoying car accident, everyone is fine fortunately. I'll save my rants on some SUV drivers thinking you don't slip on ice for another time.

One thing I did try though was block port 3 both in and out of the firewall and get logging both ways. The whole time I checked it I not getting a single request from inside our firewall to go outside but still loads of them from that one outside ip trying to get back in.

 

[mboy]

It isnt necessarily port 3 going out ( it most likely is not), but if you broadcast ANYTHING out to a server that isnt responding, then it will send back the ICMP 3 letting your broadcasting computer know that the server it is trying to reach is not responding.
Get some anit spyware like already mentioned and run it!

 

[Daniel]

Originally posted by: mboy
It isnt necessarily port 3 going out ( it most likely is not), but if you broadcast ANYTHING out to a server that isnt responding, then it will send back the ICMP 3 letting your broadcasting computer know that the server it is trying to reach is not responding.
Get some anit spyware like already mentioned and run it!

Ugh, good point, my head was elsewhere when I did it, I can't believe I didn't think of that. I did get adaware though and kill the junk on that one guy's computer.

 

[mboy]

I used to get them all the time on mw Sonicwall (both of them actually), but then I unchecked "dropped ICMP" in the log settings and I didnt have to look at them anymore.

I wouldnt sweat the ICMP stuff anyway (which is why I dropeed it from my logs)

 

[Oaf357]

Originally posted by: mboy
I used to get them all the time on mw Sonicwall (both of them actually), but then I unchecked "dropped ICMP" in the log settings and I didnt have to look at them anymore.

I wouldnt sweat the ICMP stuff anyway (which is why I dropeed it from my logs)

I log everything because I want to know everything that's going on. I don't get dropped ICMPs too often. Besides I have my firewall locked down, inside and out. So if something is trying to get in that was initiated from the LAN I want to know about it.

 

[mboy]

I log everything but the ICMP's

 

[ScottMac]

Maybe the result of some kind of DOS / DDOS attack, kinda like a smurf with pings....(someone is putting your address in a fat ping or something).

I get 'em too, and I am "fer sher" not putting out any packets that I don't know about.

Keep sending the logs to your ISP, maybe they'll put up a filter....

.02

Scott