03-24-2009 06:27 AM - edited 03-10-2019 04:33 AM
My 6500 with my IDSM2 is connected to my Internet router so all traffic to and from the Internet passes through to the hosts at the access layer (obviously). I constantly see ICMP Unreachable traffic crossing the IDSM2 from various foreign countries to various internal subnets. I have captured this traffic in a packet capture but it doesn't tell me anything usseful. Sometimes it is just one or two packets, sometimes its a lot more. Can anyone explain why I am seeing this traffic and what I should do about it?
03-30-2009 12:47 PM
By default, each interface denies Internet Control Message Protocol (ICMP). Use the icmp command to allow this traffic to the interface. This behavior differs from that of the PIX.
Note: When ICMP to the interface is denied by the icmp command, you still see the correct MAC address in the Address Resolution Protocol (ARP) table. If you do not see the MAC address Configure the interfaces within the FWSM configuration (with the nameif command) or on the Multilayer Switch Feature Card (MSFC) [ with the interface vlan command] before they are configured on the switch (on the Supervisor Module in CatOS) may make the interfaces appear as if they are not responding at all, with no ARP entry or Internet Control Message Protocol (ICMP) response.
If you configured an interface on the FWSM or MSFC that belongs to the firewall VLANs before you configured the switch, remove the FWSM or MSFC entry, reload the module, then re-add the entry.
03-30-2009 09:00 PM
It could be that someone is spoofing traffic from your source addresses as part of some kinds of denial of service attack. Are the source addreses valid? Is the source addresses are in your address space but unassigned, I'd guess spoofing. But, if they are regular PCs I'd guess a scanning zombie or spam-zombie infestation on the machines to which the ICMP unreachable is headed.
04-01-2009 11:24 AM
Also, I have checked had a PC checked but no malware on it.
03-30-2009 09:03 PM
Oh, another possibility is that the PCs in question are running uTorrent or some other p2p client and are trying to reach offline "seeders" who are normally providing material. I'd take a look at the addresses to which the ICMP is destined if you can.
04-01-2009 11:23 AM
I have seen the P2P traffic and can identify that quite easily. This is a little more inisidious. It will only be a couple packets from China to one host, a couple of packets from France to another host on a different subnet. I attached a packet capture. Keep in mind I have 2 class B's that are both publicly routable. I am not sure if that is part of my problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide