Trying to explain this strange traffic

Unanswered Question
Mar 24th, 2009

My 6500 with my IDSM2 is connected to my Internet router so all traffic to and from the Internet passes through to the hosts at the access layer (obviously). I constantly see ICMP Unreachable traffic crossing the IDSM2 from various foreign countries to various internal subnets. I have captured this traffic in a packet capture but it doesn't tell me anything usseful. Sometimes it is just one or two packets, sometimes its a lot more. Can anyone explain why I am seeing this traffic and what I should do about it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Mon, 03/30/2009 - 12:47

By default, each interface denies Internet Control Message Protocol (ICMP). Use the icmp command to allow this traffic to the interface. This behavior differs from that of the PIX.

Note: When ICMP to the interface is denied by the icmp command, you still see the correct MAC address in the Address Resolution Protocol (ARP) table. If you do not see the MAC address Configure the interfaces within the FWSM configuration (with the nameif command) or on the Multilayer Switch Feature Card (MSFC) [ with the interface vlan command] before they are configured on the switch (on the Supervisor Module in CatOS) may make the interfaces appear as if they are not responding at all, with no ARP entry or Internet Control Message Protocol (ICMP) response.

If you configured an interface on the FWSM or MSFC that belongs to the firewall VLANs before you configured the switch, remove the FWSM or MSFC entry, reload the module, then re-add the entry.

Phillip Remaker Mon, 03/30/2009 - 21:00

It could be that someone is spoofing traffic from your source addresses as part of some kinds of denial of service attack. Are the source addreses valid? Is the source addresses are in your address space but unassigned, I'd guess spoofing. But, if they are regular PCs I'd guess a scanning zombie or spam-zombie infestation on the machines to which the ICMP unreachable is headed.

Phillip Remaker Mon, 03/30/2009 - 21:03

Oh, another possibility is that the PCs in question are running uTorrent or some other p2p client and are trying to reach offline "seeders" who are normally providing material. I'd take a look at the addresses to which the ICMP is destined if you can.

Aaron Greene Wed, 04/01/2009 - 11:23

I have seen the P2P traffic and can identify that quite easily. This is a little more inisidious. It will only be a couple packets from China to one host, a couple of packets from France to another host on a different subnet. I attached a packet capture. Keep in mind I have 2 class B's that are both publicly routable. I am not sure if that is part of my problem.



This Discussion