cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Entry in Router Log

Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Entry in Router Log

‎06-07-2013 10:46 AM

Looking at my router log - I have the firewall turned off because of other problems - I don't understand this
Quote
FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: <my IP address> Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
This happens multiple times within a 5 minute window and all the computers are either switched off or in sleep mode
The IP address  "208.167.229.83" is located @ United States New Jersey Sayreville and is Constant Hosting
Is this just another attempted scan
Message 1 of 27
(5,743 Views)
0 Thanks
26 REPLIES 26
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Entry in Router Log

‎06-07-2013 11:33 AM

Firstly when you say the firewall is turned off, if that's done through the GUI then it's not really.
All that happens is the firewall is configured to pass everything, whereas in the standard state it's configured to pass everything from lan.
So the firewall is still working and able to add syslog entries.
As for "Destination Host is Administratively Prohibited". All I can think is the destination was a private IP address eg in the range 192.168.0.0/16.
If it was my router I would be inclined to ignore it and assume the router had got it's knickers in a twist again. But I'm only guessing Wink

Message 2 of 27
(1,232 Views)
0 Thanks
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Entry in Router Log

‎06-07-2013 11:52 AM

The destination IP was my Plusnet fixed IP address 81.174.168.xxx
Message 3 of 27
(1,232 Views)
0 Thanks
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Entry in Router Log

‎06-07-2013 12:00 PM

I don't think anyone actually knows what that log entry means apart from the programmers who wrote the IDS software running in the router.

  • icmp - obviously that indicates the icmp protocol

  • check - something was checked - not as helpful as it could be - did it pass or fail the check?

  • 1 of 1 - ? presumably these numbers are related to the number of entries in some connection state tracking table. Or people have claimed it's the number of rules? Or the number of checks performed? The number of packets that were checked?

  • ICMP - the ICMP protocol again, but in capital letters this time.

  • source ip address

  • destination ip address

  • the type of icmp packet - destination unreachable

  • the reason code given in the icmp packet


The log entry basically consists of some details about an ICMP packet and something unclear about it being checked in some way. It doesn't really indicate why it passed or failed the check.
Further reading: http://www.sans.org/reading_room/whitepapers/threats/icmp-attacks-illustrated_477
Message 4 of 27
(1,232 Views)
0 Thanks
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Entry in Router Log

‎06-07-2013 12:04 PM

Communication with Destination Host is Administratively Prohibited

The source device is allowed to send to the network where the destination device is located, but not that particular device.
http://www.tcpipguide.com/free/t_ICMPv4DestinationUnreachableMessages-3.htm
Undecided
Message 5 of 27
(1,232 Views)
0 Thanks
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Entry in Router Log

‎06-07-2013 12:09 PM

understood - so attempts to piggyback onto my connection to get through to Plusnet servers failed
I will just ignore it in future
Message 6 of 27
(1,232 Views)
0 Thanks
Razer
Grafter
Posts: 1,398
Thanks: 8
Registered: ‎17-11-2012

Re: Entry in Router Log

‎06-07-2013 12:36 PM

This is what I'm having difficulty understanding. The direction.
I've previously been told on this forum that such messages as Destination Unreachable are a result of connection attempts my router makes. The website npr links to seems to confirm that, where the page says:
Quote
The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...

Meaning the device is your router. So that means, Jim, that it's your router that has tried to connect to that IP address. If there's something you know to make you think it is that IP address trying to connect to you, can you explain that to me? I ask because I am actually confused by the messages when they say source and destination that imply it is the other party trying to connect to me, not the other way around - contrary to what the linked to page says.
Message 7 of 27
(1,232 Views)
0 Thanks
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Entry in Router Log

‎06-07-2013 12:49 PM

Anyone could send anyone an ICMP packet with whatever contents they like. Your router will only be expecting to receive ICMP destination unreachable packets that correspond to previous outgoing packets, and only for a limited time after the outgoing connection attempt.
I believe the IDS does have some stats, which should include the number of ICMP reply-type packets that didn't match up with an outgoing request.
It's not exactly the most explicitly clear log message, it doesn't say why this packet presumably failed the "check", nor whatever the checking involves.
Message 8 of 27
(1,232 Views)
0 Thanks
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Entry in Router Log

‎06-07-2013 1:10 PM

This is the section of the log where the reports happen - the source IP address changes but always comes from Constant.com
Quote
Jul 6 00:52:05 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Port Unreacheable
Jul 6 00:50:53 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited

Jul 6 00:49:35 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 68.232.188.3 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited

Jul 6 00:48:28 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited

Jul 6 00:44:32 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited

Jul 6 00:42:38 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 68.232.188.3 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited

and a later one from Germany which is a bit different
Jul 6 07:41:43 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.9.24.81 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Port Unreacheable
Message 9 of 27
(1,232 Views)
0 Thanks
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Entry in Router Log

‎06-07-2013 1:13 PM

see http://community.plus.net/forum/index.php/topic,116301.msg1004955.html#msg1004955
Maybe the threads should be merged Roll_eyes
Message 10 of 27
(1,232 Views)
0 Thanks
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Entry in Router Log

‎06-07-2013 1:19 PM

No they shouldn't as this one is quite specific and will fade out soon
Message 11 of 27
(1,232 Views)
0 Thanks
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Entry in Router Log

‎06-07-2013 1:40 PM

Sorry, I don't agree with you, they are all similar events, ie, they are unsolicited incoming packets.
Quote from: ejs
It's not exactly the most explicitly clear log message, it doesn't say why this packet presumably failed the "check", nor whatever the checking involves.

That I agree with, but all they do mean is essence is that an incoming packet was not allow through by your Router Firewall because -
it failed a check/failed to comply with a rule/didn't match up with an outgoing request/there was no Port forwarding rule for that packet/etc/etc. ie. it was unsollicited. The post I linked in reply #9 listed some of the possible reasons.
And btw what do you mean "fade out soon"?
Message 12 of 27
(1,232 Views)
0 Thanks
Razer
Grafter
Posts: 1,398
Thanks: 8
Registered: ‎17-11-2012

Re: Entry in Router Log

‎06-07-2013 5:59 PM

What is being said is still contrary to what the linked to by npr page says.
Quote
The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...

It sent. This is nothing to do with unsolicited packets according to that definition. It is a 'reply' as it were - a response.
Message 13 of 27
(1,232 Views)
0 Thanks
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Entry in Router Log

‎06-07-2013 6:26 PM

The type of packet is a reply. The proper use for this packet is for replying. But anyone could malciously craft the packet and send it to you. Or someone sends a packet with a spoofed IP address to the other system so that the other system will send the reply to you. Or, especially if you recently changed IP addresses, it could be related to the previous user of your current IP address (unless you've got a static IP of course).
I see very few of these ICMP Destination Unreachable packets.
Message 14 of 27
(1,232 Views)
0 Thanks
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Entry in Router Log

‎07-07-2013 8:36 AM

Quote from: Razer
This is what I'm having difficulty understanding. The direction.

Taking one of Jim's examples, the direction is clear
Quote
Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.***

A packet has been sent from 208.187.229.83 to Jim's address 81.174.***.***
The Router did not pass on the packet, hence the entry in the log.
Quote from: Razer
I've previously been told on this forum that such messages as Destination Unreachable are a result of connection attempts my router makes.

Without seeing the context, either a misunderstanding or wrong. It's easy to give quick replies to someone, which in the author's eyes is clear, but can be interpreted by a reader as something else. I'm sure I'm as guilty of that as anyone Roll_eyes
Quote from: Razer
The website npr links to seems to confirm that, where the page says:
Quote
The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...

Correct, but
Quote from: Razer
Meaning the device is your router.

Misunderstanding. The log entry details the reason and a reply that would be sent to the sending Device - ie the source computer, or to be more precise the program on the sending device, a program could be eg. a ping command.
Quote from: Razer
So that means, Jim, that it's your router that has tried to connect to that IP address. If there's something you know to make you think it is that IP address trying to connect to you, can you explain that to me? I ask because I am actually confused by the messages when they say source and destination that imply it is the other party trying to connect to me, not the other way around - contrary to what the linked to page says.

I hope as a result of my explanation above you can see the misunderstanding.
Quote from: Razer
What is being said is still contrary to what the linked to by npr page says.
Quote
The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...

It sent. This is nothing to do with unsolicited packets according to that definition. It is a 'reply' as it were - a response.

Again, because of this misunderstanding, I hope you can see that it is "unsolicited"  (in the widest meaning of the word). The log entry details the reason and a reply sent to the sending Device.
Quote from: ejs
I see very few of these ICMP Destination Unreachable packets.

Depends what you mean by "very few". Upto yesterday, In the previous 5days 4hrs I'd seen 19 similar entries

{Anotherone}=>firewall debug stats
Statistics
==========
Used rule contexts              : 0
Total rule contexts             : 256
......
.....
ICMP errors without cause       : 19
....
{Anotherone}=>

I call that few.
However, last night I had 1+31 and this morning 14 such entries from one IP address (purportedly in New York) that had previously had a single entry 4 days ago - that is getting bothersome Roll_eyes
Quote from: Oldjim
........ and will fade out soon

If you mean disappear from the GUI event log, then if you use the CLI command <syslog msgbuf show hist=enabled> without the <> you will get all the entries in the syslog buffer/cache rather than just the few in the GUI cache
Message 15 of 27
(1,232 Views)
0 Thanks