cancel
Showing results for 
Search instead for 
Did you mean: 

Under attack?

FarmerGiles
Dabbler
Posts: 15
Registered: ‎16-01-2011

Under attack?

Hi all
I've been seeing this in my nat router log for the last few weeks.  I know its only a ping but it is very persistent.  Still happens if I get a new IP address.
Any ideas?
--------------
FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 61.128.162.218 Dst ip: myipaddress Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited
--------------
61.128.162.218 has been identified as an attack IP according to various googlings.
Can Plusnet block it at their network?
Regards
12 REPLIES 12
artificer
Grafter
Posts: 1,850
Registered: ‎11-08-2007

Re: Under attack?

can you not block the port it's coming in on? from china, by the way.
MrT
Grafter
Posts: 379
Registered: ‎30-06-2010

Re: Under attack?

Your Firewall is doing what it was designed to do by blocking these attacks. I get the same attack quite often. All are blocked so I don't think we have anything to worry about.  Smiley
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Under attack?

It's not a ping, ICMP is used for much more than just ping. If it were a "ping", Type would be Echo Request.
The packet in your firewall log is the icmp response you would receive if something on your computer attempts to open a connection to that IP address. It's unclear to me if the firewall blocked that packet or just "checked" it - the "Host is Administratively Prohibited" is part of the info in the packet received.
I suggest you check that there's nothing on your computer (malware etc.) trying to connect to that IP address.
caulbox
Rising Star
Posts: 179
Thanks: 1
Fixes: 1
Registered: ‎19-06-2009

Re: Under attack?

Quote from: FarmerGiles
FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 61.128.162.218 Dst ip: myipaddress Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited

That's exactly the same message (and source IP) which has recently been plaguing me with monotonous persistence and regularity (maybe once every 3 or 4 hours).
MrT
Grafter
Posts: 379
Registered: ‎30-06-2010

Re: Under attack?

Quote from: ejs
I suggest you check that there's nothing on your computer (malware etc.) trying to connect to that IP address.

This message appears in my router log when my PCs are switched off and nothing else is connected. So it's either incoming which is being blocked by the router or the router itself (TG585) has malware onboard - unlikely!  Smiley
caulbox
Rising Star
Posts: 179
Thanks: 1
Fixes: 1
Registered: ‎19-06-2009

Re: Under attack?

From the very cursory malware detective work I've just done, I found nothing to suggest culpability in any currently running software. But I did start to wonder whether it was in the realms of possibility that my network adapter drivers might be implicated?

My (somewhat dated) ASUS barebones system uses a Realtek RTL8139/810x Family Fast Ethernet NIC (driver version 5.687.225.2008) which seems to have been serving me well. However, further research now reveals that the 8139 Fast Ethernet card is regarded by some as "probably the worst PCI ethernet controller ever made"

Could the adapter in any way be related to the icmp checks?
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Under attack?

Quote from: caulbox
Could the adapter in any way be related to the icmp checks?

No. It may well be "low end" hardware, but that makes it cheap and very common.
Probably the reason these icmp response packets get logged is because no corresponding outbound connection attempt was made.
caulbox
Rising Star
Posts: 179
Thanks: 1
Fixes: 1
Registered: ‎19-06-2009

Re: Under attack?

Quote from: ejs
Probably the reason these icmp response packets get logged is because no corresponding outbound connection attempt was made.

Wouldn't such logic imply that the icmp checks would cease if a new IP address is being used? Like the OP reports, these checks persist for me too, even after commencing new PPP sessions with completely different IP addresses assigned.
SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Re: Under attack?

Same from Germany:
FIREWALL icmp check (1 of 3): Protocol: ICMP Src ip: 217.0.86.113 Dst ip: 212.159.61.36 Type: Destination Unreachable Code: Communication Administratively Prohibited

and from RoadRunner in the States
FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 184.57.54.8 Dst ip: 212.159.61.36 Type: Destination Unreachable Code: Communication Administratively Prohibited
FarmerGiles
Dabbler
Posts: 15
Registered: ‎16-01-2011

Re: Under attack?

Coincidence ?
Since I posted this the icmp messages from this IP have stopped.  Maybe Plusnet have quietly done something?
Regards
caulbox
Rising Star
Posts: 179
Thanks: 1
Fixes: 1
Registered: ‎19-06-2009

Re: Under attack?

Stopped for me too since your original post.
frasa
Newbie
Posts: 1
Registered: ‎29-01-2016

Re: Under attack?

I have the technicolor gateway - plusnet fibre.  The system firewall is set not to allow outside access and not to reply to an outside  "ping".  however I have check the attacking ip addresses and find them to be from china.  Maybe its BTs network doing doing it as it comes from china.  Plusnet can you advise?
FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.178.87.106 Dst ip: 87.112.195.34 Type: Destination Unreachable Code: Port Unreacheable