Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Excessive inbound icmp traffic

We have been getting the following in our syslog for a month or so and I just ignored it because it always said deny inbound. The messages are increasing it seems 3000 to 7000 an hour. I ran an ICMP trace on the pix 506E results are down below the copied syslog messages. The outside address changes constantly, but is consistently from one of two networks USLEC (our provider) or Quest. We are using PAT. The ICMP echo request, destination are always the same internal private IP addresses listed with a few daily exceptions. The software version on the pix is 6.3(1), PDM 3.0(1). Any ideas on what could cause this or what I can do to make it stop?

What we receive in the syslog

Oct 01 2003 09:06:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:66.255.190.7 ("<-this address changes")dst outside:<Our public IP #1>(type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside::<Our public IP #4>((type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside::<Our public IP #5>( (type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside::<Our public IP #6>( (type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside::<Our public IP #7>( (type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside::<Our public IP #8>( (type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside:::<Our public IP #9>( (type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside::<Our public IP #10>( (type 8, code 0)

Oct 01 2003 09:06:31: %PIX-3-106014: Deny inbound icmp src outside:66.255.190.7 dst inside::<Our public IP #11>( (type 8, code 0)

Display by the icmp trace on the PIX 506E

684: Inbound ICMP echo request (len 64 id 6 seq 3944) 66.255.190.7 > Our public IP #1> 192.168.1.77

685: Inbound ICMP echo request (len 64 id 6 seq 4200) 66.255.190.7 > Our public IP #2> 192.168.1.2

686: Inbound ICMP echo request (len 64 id 6 seq 4456) 66.255.190.7 > Our public IP #3 > 192.168.1.101

687: Inbound ICMP echo request (len 64 id 6 seq 4968) 66.255.190.7 > Our public IP #4 > 192.168.1.3

688: Inbound ICMP echo request (len 64 id 6 seq 4712) 66.255.190.7 > Our public IP #5 > 192.168.1.70

689: Inbound ICMP echo request (len 64 id 6 seq 5224) 66.255.190.7 > Our public IP #6 > 192.168.1.81

690: Inbound ICMP echo request (len 64 id 6 seq 5480) 66.255.190.7 > Our public IP #7 > 192.168.1.4

691: ICMP type 176 (code 2) 66.255.190.7> <My Pix ip>

713: ICMP echo reply (len 64 id 1 seq 11340) <My Pix IP> 66.255.190.7

2 REPLIES
Silver

Re: Excessive inbound icmp traffic

Hi,

This kind of ICMP traffic stream is often seen when PC´s are infected with the Nachi-worm, so, this would be my first guess, that this sender is infected and is searching for available machines to infect (lucky you that your PIX drops this traffic). The Nachi-worm, is often installed when installing a patch for the Blaster-worm, so many PC´s are infected with Nachi-worm.

Problem is that the sender resides on he outside.

What I would do is use reversed namelookup to see if you can discover the domainname and then send an informational message to postmaster@thisdomain to tell them they are infected.

Hope this helps,

Leo

Silver

Re: Excessive inbound icmp traffic

Oops, made an error in my previous reply, so let me rectify. I first thought that it was Nachi, but on second thought I remembered it was Welchia.

The Welchia-worm sends a lot of ICMP messages to several IP´s. If you do a detailed packet debug, you could tell if it is indeed Welchia by looking at the payload within the ICMP-message. If it contains all A´s, then it´s Welchia.

You can find a patch for this worm at bitdefender.

Kind Regards,

Leo

612
Views
0
Helpful
2
Replies
CreatePlease login to create content