Re: Strange ICMP packets

From: Duane Arnold (notme_at_notme.com)
Date: 09/16/05 

Date: Fri, 16 Sep 2005 07:56:44 GMT

JC <jhoppyc@westnet.com.invalid> wrote in
news:n8rki1175jvegfh5ovuaao15b8psbdtjpi@4ax.com:

> On Fri, 16 Sep 2005 04:53:47 GMT, "Duane Arnold" <Notme@Notme.com>
> wrote:
>
>>> About 70% of these return packets arrive while my PC is turned off
>>> with only the firewall and modem active. Does this mean that
>>> someone is spoofing my IP address and causing the problem?
>>
>>If the machine is turned off, there is no traffic so how can something
>>be spoofing traffic? In addition to that, the Sonicwall should be
>>doing Stateful Packet Inspection (SPI) that should be preventing IP
>>spoofing and several other types of attacks.
>
> I didn't explain properly. I was wondering if a PC somewhere was
> using my IP address to send out packets containing spam or whatever.
> If the receiving site saw my IP address in the packets as the source
> it would send the response packet to my IP address not to the correct
> IP address of the actual PC that sent the original packets as it
> wouldn't know that IP address.

Look up SPI and find out how it works. Yes, It could happen on a simple
NAT router that was not doing packet inspection, but it will not happen
on that Sonicwall.

>
>>> I am not how to go about sniffing the incoming ICMP packet as it is
>>> dropped by the firewall before it gets to my PC. I am assuming
>>> that the sniffer would need to be on the WAN side of the firewall.
>>
>>Traffic or packet sniffing is about traffic leaving a computer the
>>sniffer such as Ethereal (free) would be installed on the computer in
>>question to review all outbound traffic leaving the computer.
>
> Ok, that explains it. That should show if my PC is sending anything.
> I would check for the same addresses cropping up in both logs.
>
>>> Would turning ON the Windows Firewall logging help here as it would
>>> give me some clues to any packets going out to the addresses sending
>>> back the ICMP Type 3 code 1 packets.
>>
>>Doesn't the Sonicwall TZ170 have logging? That's what you should be
>>using is the router's syslogs to get an accurate picture of traffic
>>to/from the router or to/from the WAN and LAN.
>
> The logs only show what has been dropped but show nothing about what
> traffic has gone in or out.
>
>>You can use Wallwatcher and view in real time all inbound traffic from
>>remote IP(s) and all outbound traffic from LAN IP(s) /machines -- all
>>traffic to or from the router *Blocked and not Blocked* traffic --
>>ICMP or non ICMP traffic blocked or not blocked, along with setting
>>various alert conditions that Wallwatcher will alert you on like an
>>remote IP is being blocked an it's alerting you that it has happened
>>like 60 times in a 15 second time frame as an example.
>>
>>http://www.sonic.net/wallwatcher/#Routers
>
> Thanks for the info. I'll have to check this out.
>
> What I have been doing is having the firewall send me the log each day
> which I paste into Excel and then sort on source IP address order to
> see what is happening. But this only shows me what has been blocked
> by the firewall and shows nothing about traffic passing through the
> firewall untouched.

Well WW kind of works the same way. It shows all outbound connections
blocked or not blocked, all blocked unsolicted inbound connection. As for
solicted inbound that would be due to solicted outbounf from a machine
and it doesn't show it. It may show the inbound if the router was doing
port fowarding -- I have yet to do port forwading with WW active.

But you'll get more bang with WW than what you can get by using Excel.

Duane :)