Non stop ICMP traffic to/from firewall

[azev]

Well, last night I was trying to upgrade my sonicwall with the latest firmware and the viewpoint server. I successfully upgrade the firewall firmware, but not the Viewpoing (syslog server).
Now this morning I cannot access the management interface on my firewall, but my lan port is blinking like crazy. I uninstalled the new version viewpoint and I noticed then that my syslog server is pinging the firewall. The os is win2k server. So what can I do to find out what is sending this traffic and how to stop them ??

Thanks

 

[spidey07]

Originally posted by: azev
Well, last night I was trying to upgrade my sonicwall with the latest firmware and the viewpoint server. I successfully upgrade the firewall firmware, but not the Viewpoing (syslog server).
Now this morning I cannot access the management interface on my firewall, but my lan port is blinking like crazy. I uninstalled the new version viewpoint and I noticed then that my syslog server is pinging the firewall. The os is win2k server. So what can I do to find out what is sending this traffic and how to stop them ??

Thanks

you probably have the blaster worm or one of its variants. update your virus files, run a full sweep and apply the patch.

 

[spidey07]

Originally posted by: azev
Well, last night I was trying to upgrade my sonicwall with the latest firmware and the viewpoint server. I successfully upgrade the firewall firmware, but not the Viewpoing (syslog server).
Now this morning I cannot access the management interface on my firewall, but my lan port is blinking like crazy. I uninstalled the new version viewpoint and I noticed then that my syslog server is pinging the firewall. The os is win2k server. So what can I do to find out what is sending this traffic and how to stop them ??

Thanks

you probably have the blaster worm or one of its variants. update your virus files, run a full sweep and apply the patch.

 

[azev]

Nope. I am sure that it is not the virus. The computer it self is a NAV server for the company.
From what I gather from network monitor, the server is trying to send ICMP package to the internal interface of the firewall; which probably because of the failed installation of the new syslog software. Now, that I know that my server is the culprit, how to find out what is cousing the server sending ICMP ??

 

[spidey07]

Originally posted by: azev
Nope. I am sure that it is not the virus. The computer it self is a NAV server for the company.
From what I gather from network monitor, the server is trying to send ICMP package to the internal interface of the firewall; which probably because of the failed installation of the new syslog software. Now, that I know that my server is the culprit, how to find out what is cousing the server sending ICMP ??

OK, have you scanned with recent pattern files?

The pinging is one sign of the worm.

 

[azev]

it is scanning right now, but my server is setup to do full scan every night and the log said that it didnt found anything. The server is updated with all the current patch.

 

[spidey07]

slap a sniffer on it or run network monitor. Maybe see what's up?

 

[azev]

I ran network monitor and it basically said that It trys to send ICMP package to the internal interface of the firewall and got no response. It sends about 3000 packets/s. It is freakin weird....... there must be something on the syslog server software that triggers this, but I double check and make sure that all the files is gone/uninstalled. I am going to try installing sp4, hopefully this will fix the problems.

 

[spidey07]

Originally posted by: azev
I ran network monitor and it basically said that It trys to send ICMP package to the internal interface of the firewall and got no response. It sends about 3000 packets/s. It is freakin weird....... there must be something on the syslog server software that triggers this, but I double check and make sure that all the files is gone/uninstalled. I am going to try installing sp4, hopefully this will fix the problems.

Maybe check your services and see what app is blasing that much traffic. 30,000 packets per second?

Something ain't right chief.

 

[groovin]

u can block the icmps from leaving your win2k box with some kinda software firewall... thats just to stop the traffic flow while you troubleshoot.

find out what service is pinging.... if you cant do that, systematcally start and restart services until the icmp stops...

 

[azev]

Paying more attention to the packets, it is a UDP with port destination 514 in which the sonicwall use to send it log to the syslog server. I have emailed their tech support and see what is up. Right now, I am going to try to install the new syslog again and see if I can configure it correctly this time. I hope that will fix it.

 

[spidey07]

Originally posted by: azev
Paying more attention to the packets, it is a UDP with port destination 514 in which the sonicwall use to send it log to the syslog server. I have emailed their tech support and see what is up. Right now, I am going to try to install the new syslog again and see if I can configure it correctly this time. I hope that will fix it.

ding, ding, ding!

The ICMP messages are probably not pings, but are a destination port unreachible. Looks like your syslog server is broke or you're not listening on that port (514-syslog I believe).

check with netstat -an and maybe try to fix your syslog.

 

[Nothinman]

Most syslog packages don't listen on the network by default (not sure about SonicWall though), if you upgraded something it may have set the configuration back to defaults. But IME syslog clients don't try to resend messages that are lost, so unless the syslog client is logging the dropped packets (i.e. send syslog message, get port unreach, log port unreach, get port unreach, log port unreach, etc) it shouldn't be hammering anything.

 

[azev]

You know, I really dont understand this. This afternoon when everyone is gone for lunch, I've decided to reinstall the Syslog software (viewpoint2.0). This time I follow the instruction carefully to make sure I didnt screw anything else. Well I successfully install the syslog software, and the database is running just fine. Last night I was having problem with their sql engine spitting errors and taxed about 70% of my cpu.
Well, when the program finished installing, the packets stopped. I check network monitor and all the traffic seems normal. I setup the new syslog software and everything is working and back to normal.
I still dont have a freakin clue what the hell happened last night till around noon today.
I should have export the network monitor log and let you network packets masters figure out what is up.
At least everything is working again and I am happy with the new syslog software.

Thanks everyone.