ICMP, normal traffic?

Hi,
I had not replies to my earlier WAN Overload? email. Sadly our ISP has
simply said that our hardware would not be adversly affected by
broadcast traffic. Here is output from our firewall showing many ICMP
logs, is it normal to receive so many all within a second? There may
well be more, this

MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon " proto=1- icmp
packet - Source:=217.204.49.146 - Destination:=85.234.133.24 - [ICMP
Type: 8 Code: 0 Sequence number: 16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=1- icmp packet - Source:=217.204.49.146 -
Destination:=85.234.133.24 - [ICMP Type: 8 Code: 0 Sequence number:
16516 received from WAN n/w]


MON OCT 02 11:04:05 2006 time="2006-10-02 11:04:05 Mon "
proto=6- tcp packet - Source:=213.105.224.17 -
Destination:=85.234.133.24 - [Connection unestablished, data arrives
Src 36965 Dst 80 from WAN n/w]


.... and so on

John

Re: ICMP, normal traffic?

johnnypoll wrote:
> I had not replies to my earlier WAN Overload? email. Sadly our ISP has
> simply said that our hardware would not be adversly affected by
> broadcast traffic. Here is output from our firewall showing many ICMP
> logs, is it normal to receive so many all within a second?

No, it's not normal to receive that many echo-requests. It may be
someone trying to DoS your uplink. The source IP looks like it's
dynamically assigned to dialup-users or something. The owner of the
netblock is Easynet [1], so you may want to contact them about this
matter.

However, since you said in your previous post that not only your inbound
but also your outbound traffic is unusually high, you may first want to
find out what's going on on your own network. Try inspecting the traffic
with a protocol analyzer (e.g. Wireshark [2]).

[1] http://www.easynet.net/
[2] http://www.wireshark.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich