• We should now be fully online following an overnight outage. Apologies for any inconvenience, we do not expect there to be any further issues.

What are these packets up to?

Toggle sidebar Toggle sidebar
cleverhandle

cleverhandle

Diamond Member
Dec 17, 2001
3,566
3
81
I've been seeing some odd entries in my PF logs the last couple of days. Not many of them - just a couple at a time on maybe 3 of the last 5 days. They look like:

Aug 19 00:20:01 achilles pf: Aug 19 00:13:40.729752 rule 27/0(match): pass in on tun0: 63.x.x.x > 69.x.x.178: icmp: host 65.x.x.x unreachable - admin prohibited filter
Aug 19 00:20:01 achilles pf: Aug 19 00:13:41.223911 rule 27/0(match): pass in on tun0: 63.x.x.x > 69.x.x.182: icmp: host 65.x.x.x unreachable - admin prohibited filter
Aug 19 00:45:01 achilles pf: Aug 19 00:36:11.480668 rule 27/0(match): pass in on tun0: 63.x.x.x > 69.x.x.181: icmp: host 65.x.x.x unreachable - admin prohibited filter

I've got the addresses in 69. The 63. host is the same on a given day, and all come from a single Class C. None of those addresses officially exist. The 65. hosts also vary depending on the day, but all belong to a Class B from qwest.net. The packets are logged because I have a rule logging unusual (non-ping/traceroute) ICMP traffic. I don't think it's connected to any traffic of mine - 181 and 182 are in my block, but are not in use. 178 is the address to which I map a NAT network, but has no physical interface. FWIW, 180 is also unused, though it apparently did not receive these packets.

Any ideas?
 
cleverhandle

cleverhandle

Diamond Member
Dec 17, 2001
3,566
3
81
But as far as I can tell, the only ICMP traffic from Welchia/Nachi is ping traffic. There's no reason that should come back to me - if a machine spoofed my address as the source for an ICMP packet, it wouldn't get the reply and thus wouldn't be able to see if the potential victim is alive or not. Also, the earliest logs were from Saturday, which a bit before the Welchia/Nachi stuff started.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Looks like you're blocking ICMP unreachable packets. Something is trying to send to 65.x.x.x and the host or application (port) is unreachable.

Generally you don't want to block ICMP unrachables. It can cause problems with some applications and MTU path discovery. I'd recommend allowing these two -

ICMP echo reply
ICMP unreachable (port, host and network)
 
cleverhandle

cleverhandle

Diamond Member
Dec 17, 2001
3,566
3
81
I'm not blocking them - note the "pass in" - just logging them because I don't really grok ICMP and want to see what it's doing. But again, 181 and 182 don't exist. How would they be on the receiving end of a host unreachable packet?
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom