Entry in Router Log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Entry in Router Log
Entry in Router Log
06-07-2013 10:46 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
This happens multiple times within a 5 minute window and all the computers are either switched off or in sleep mode
Quote FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: <my IP address> Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
The IP address "208.167.229.83" is located @ United States New Jersey Sayreville and is Constant Hosting
Is this just another attempted scan
Re: Entry in Router Log
06-07-2013 11:33 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
All that happens is the firewall is configured to pass everything, whereas in the standard state it's configured to pass everything from lan.
So the firewall is still working and able to add syslog entries.
As for "Destination Host is Administratively Prohibited". All I can think is the destination was a private IP address eg in the range 192.168.0.0/16.
If it was my router I would be inclined to ignore it and assume the router had got it's knickers in a twist again. But I'm only guessing
Re: Entry in Router Log
06-07-2013 11:52 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Entry in Router Log
06-07-2013 12:00 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
- icmp - obviously that indicates the icmp protocol
- check - something was checked - not as helpful as it could be - did it pass or fail the check?
- 1 of 1 - ? presumably these numbers are related to the number of entries in some connection state tracking table. Or people have claimed it's the number of rules? Or the number of checks performed? The number of packets that were checked?
- ICMP - the ICMP protocol again, but in capital letters this time.
- source ip address
- destination ip address
- the type of icmp packet - destination unreachable
- the reason code given in the icmp packet
The log entry basically consists of some details about an ICMP packet and something unclear about it being checked in some way. It doesn't really indicate why it passed or failed the check.
Further reading: http://www.sans.org/reading_room/whitepapers/threats/icmp-attacks-illustrated_477
Re: Entry in Router Log
06-07-2013 12:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The source device is allowed to send to the network where the destination device is located, but not that particular device.
http://www.tcpipguide.com/free/t_ICMPv4DestinationUnreachableMessages-3.htm
Re: Entry in Router Log
06-07-2013 12:09 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I will just ignore it in future
Re: Entry in Router Log
06-07-2013 12:36 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've previously been told on this forum that such messages as Destination Unreachable are a result of connection attempts my router makes. The website npr links to seems to confirm that, where the page says:
Quote The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...
Meaning the device is your router. So that means, Jim, that it's your router that has tried to connect to that IP address. If there's something you know to make you think it is that IP address trying to connect to you, can you explain that to me? I ask because I am actually confused by the messages when they say source and destination that imply it is the other party trying to connect to me, not the other way around - contrary to what the linked to page says.
Re: Entry in Router Log
06-07-2013 12:49 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I believe the IDS does have some stats, which should include the number of ICMP reply-type packets that didn't match up with an outgoing request.
It's not exactly the most explicitly clear log message, it doesn't say why this packet presumably failed the "check", nor whatever the checking involves.
Re: Entry in Router Log
06-07-2013 1:10 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote Jul 6 00:52:05 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Port Unreacheable
Jul 6 00:50:53 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
Jul 6 00:49:35 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 68.232.188.3 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
Jul 6 00:48:28 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
Jul 6 00:44:32 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
Jul 6 00:42:38 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 68.232.188.3 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
and a later one from Germany which is a bit different
Jul 6 07:41:43 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.9.24.81 Dst ip: 81.174.***.*** Type: Destination Unreachable Code: Port Unreacheable
Re: Entry in Router Log
06-07-2013 1:13 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Maybe the threads should be merged
Re: Entry in Router Log
06-07-2013 1:19 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Entry in Router Log
06-07-2013 1:40 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: ejs It's not exactly the most explicitly clear log message, it doesn't say why this packet presumably failed the "check", nor whatever the checking involves.
That I agree with, but all they do mean is essence is that an incoming packet was not allow through by your Router Firewall because -
it failed a check/failed to comply with a rule/didn't match up with an outgoing request/there was no Port forwarding rule for that packet/etc/etc. ie. it was unsollicited. The post I linked in reply #9 listed some of the possible reasons.
And btw what do you mean "fade out soon"?
Re: Entry in Router Log
06-07-2013 5:59 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...
It sent. This is nothing to do with unsolicited packets according to that definition. It is a 'reply' as it were - a response.
Re: Entry in Router Log
06-07-2013 6:26 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I see very few of these ICMP Destination Unreachable packets.
Re: Entry in Router Log
07-07-2013 8:36 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Razer This is what I'm having difficulty understanding. The direction.
Taking one of Jim's examples, the direction is clear
Quote Protocol: ICMP Src ip: 208.167.229.83 Dst ip: 81.174.***.***
A packet has been sent from 208.187.229.83 to Jim's address 81.174.***.***
The Router did not pass on the packet, hence the entry in the log.
Quote from: Razer I've previously been told on this forum that such messages as Destination Unreachable are a result of connection attempts my router makes.
Without seeing the context, either a misunderstanding or wrong. It's easy to give quick replies to someone, which in the author's eyes is clear, but can be interpreted by a reader as something else. I'm sure I'm as guilty of that as anyone
Quote from: Razer The website npr links to seems to confirm that, where the page says:
Quote The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...
Correct, but
Quote from: Razer Meaning the device is your router.
Misunderstanding. The log entry details the reason and a reply that would be sent to the sending Device - ie the source computer, or to be more precise the program on the sending device, a program could be eg. a ping command.
Quote from: Razer So that means, Jim, that it's your router that has tried to connect to that IP address. If there's something you know to make you think it is that IP address trying to connect to you, can you explain that to me? I ask because I am actually confused by the messages when they say source and destination that imply it is the other party trying to connect to me, not the other way around - contrary to what the linked to page says.
I hope as a result of my explanation above you can see the misunderstanding.
Quote from: Razer What is being said is still contrary to what the linked to by npr page says.
Quote The receipt of a Destination Unreachable message tells the device that the datagram it sent couldn't be delivered, ...
It sent. This is nothing to do with unsolicited packets according to that definition. It is a 'reply' as it were - a response.
Again, because of this misunderstanding, I hope you can see that it is "unsolicited" (in the widest meaning of the word). The log entry details the reason and a reply sent to the sending Device.
Quote from: ejs I see very few of these ICMP Destination Unreachable packets.
Depends what you mean by "very few". Upto yesterday, In the previous 5days 4hrs I'd seen 19 similar entries
{Anotherone}=>firewall debug stats
Statistics
==========
Used rule contexts : 0
Total rule contexts : 256
......
.....
ICMP errors without cause : 19
....
{Anotherone}=>
I call that few.
However, last night I had 1+31 and this morning 14 such entries from one IP address (purportedly in New York) that had previously had a single entry 4 days ago - that is getting bothersome
Quote from: Oldjim ........ and will fade out soon
If you mean disappear from the GUI event log, then if you use the CLI command <syslog msgbuf show hist=enabled> without the <> you will get all the entries in the syslog buffer/cache rather than just the few in the GUI cache
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page