| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 37145 | 2003-08-30 00:31:00 | ZoneAlarm reports many ICMP connection attempts | Ropey (3222) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 171668 | 2003-08-30 00:31:00 | I'm not sure if the activity I am picking up is new, or I am just noticing it for the first time, but I am getting many (20-30 per minute) ICMP attempts, with a medium rating. As they are being blocked there seems to be no security issue here, but what are these pings? | Ropey (3222) | ||
| 171669 | 2003-08-30 00:42:00 | 99.99% of the time it is nothing to worry about. It is only someones program seeing if the IP address is "alive". As your firewall doesn't reply to the ping, then it considers no-one is there. When you dial-up onto the internet, your ISP allocates you an IP address from a "pool" of them. It quite often happens that a previous user of that IP address was using Kazza for file sharing. Now when someone else has been downloading from the previous user, then it will ping the known IP addresses where the wanted file was last known. Quite innocent and harmless. |
Pheonix (280) | ||
| 171670 | 2003-08-30 00:58:00 | ICMP stands for Internet Control Message Protocol and is used, as the name implies, to figure out how your IP connection is doing, and if necessary, adjust some of the parameters for it (like the Maximum Transmission Unit discovery along the network path, whether or not to fragment packets, etc) . It follows that blocking all ICMP is a bad move, because your machine, and the peer it is connecting to, will be working more or less in the blind . FAQS . org ( . faqs . org/docs/iptables/icmptypes . html" target="_blank">www . faqs . org) lists the different ICMP types . Don't know if ZoneAlarm allows this, but most good IP management systems lets you rate-limit the number of responses to a reasonable number (say 100-200/m) . I would allow the following ICMP types: 0 - echo reply 3 - destination unreachable 12 - paramenter problem both incoming and outgoing . For troubleshooting, it's useful to have: 5 - redirect 8 - echo request 11 - TTL equals 0 allowed outgoing . -- Juha |
juha (761) | ||
| 171671 | 2003-08-30 09:20:00 | you are most likly seeing the pings from the white hat ver of the blaster worm (the one that trys to patch your sytem against the blaster worm). | tweak'e (174) | ||
| 171672 | 2003-08-30 10:29:00 | its like raindrops on the roof ignore them just set zonealarm up to not display the pings I dont even bother to log them waste of time | kiwibeat (304) | ||
| 171673 | 2003-08-30 23:59:00 | Thanks everyone. It seems that I am just noticing the traffic more, so I'll relax... | Ropey (3222) | ||
| 1 | |||||