ICMP Type 8 Echo Request packet security concerns

ICMP Type 8 Echo Request packet security concerns
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
ICMP Type 8 Echo Request packet security concerns Scott Holmes 10-11-2005
Posted by Scott Holmes on October 11, 2005, 5:39 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?

For some reason, I periodically get wierd Internet Control Message Protocol
(ICMP) Type 8 requests on WinXP such as:

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to
[202.232.221.175].
Do you want to allow this program to access the network?

I have no idea what these requests are for.

When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
I find these IP addresses are not registered. Wierd. Then why are they
sending me an ICMP Type 8 (whatever that is) requests?

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

I looked up RFC 792 which describes ICMP, but I did not understand it as I
am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
know is this thing called ICMP has a code field and a type field. A type 8
is an "Echo". I have a D-Link wireless router so I wonder why it didn't
stop this ping of death from reaching my 192.168.0.1 machine.

One of the articles I looked up suggested "netstat -an" but that didn't
show anything listening of that IP address.

What is an ICMP Type 8 echo request?
Whom do these IP addresses belong to?
Should I allow these ICMP Type 8 echo requests or should I deny them?


Posted by Roger Abell [MVP] on October 10, 2005, 11:42 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Keep in mind that a number of firewall products only report the
last process in the chain that causes the communication attempt.
That this is part of the OS is because that is the "owner" of the
hardware, in this case the networking interfaces. This superficial
reporting by these products does not help one understand that it
is something running that has asked the OS to do this, very often
third-party software.


> Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?
>
> For some reason, I periodically get wierd Internet Control Message
> Protocol
> (ICMP) Type 8 requests on WinXP such as:
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.13.185].
> Do you want to allow this program to access the network?
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.221.175].
> Do you want to allow this program to access the network?
>
> I have no idea what these requests are for.
>
> When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
> I find these IP addresses are not registered. Wierd. Then why are they
> sending me an ICMP Type 8 (whatever that is) requests?
>
> OrgName: Asia Pacific Network Information Centre
> OrgID: APNIC
> Address: PO Box 2131
> City: Milton
> StateProv: QLD
> PostalCode: 4064
> Country: AU
>
> I looked up RFC 792 which describes ICMP, but I did not understand it as I
> am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
> know is this thing called ICMP has a code field and a type field. A type 8
> is an "Echo". I have a D-Link wireless router so I wonder why it didn't
> stop this ping of death from reaching my 192.168.0.1 machine.
>
> One of the articles I looked up suggested "netstat -an" but that didn't
> show anything listening of that IP address.
>
> What is an ICMP Type 8 echo request?
> Whom do these IP addresses belong to?
> Should I allow these ICMP Type 8 echo requests or should I deny them?




Posted by Walter Roberson on October 11, 2005, 6:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>NT Kernel System (ntoskrnl.exe)
>is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].

>[202.232.221.175].

>When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
>I find these IP addresses are not registered.

202.232.221.175 is registered to Toshiba.

202.232.13.185 is registered to IIJ Internet, which happens to
bhe the ISP providing DNS service for the Toshiba block immediately
above.

Do you have some Toshiba related equipment? Possibly including
some software that might be periodically checking for updated
drivers or updated software utilities?
--
Programming is what happens while you're busy making other plans.


Posted by Volker Birk on October 11, 2005, 10:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?
> For some reason, I periodically get wierd Internet Control Message Protocol
> (ICMP) Type 8 requests on WinXP such as:
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
> Do you want to allow this program to access the network?
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.221.175].
> Do you want to allow this program to access the network?
> I have no idea what these requests are for.

Why do you drive a software, which asks you questions you don't understand?
This does not make you more secure in any way.

> What is an ICMP Type 8 echo request?

See RFC 792. It's for network testing.

> Whom do these IP addresses belong to?

Both belong to Internet Initiative Japan Inc.

> Should I allow these ICMP Type 8 echo requests or should I deny them?

You could allow them. You could deny them. But why are you sending them?

F'up2csf, where it is on-topic.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister


Posted by Imhotep on October 11, 2005, 8:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Scott Holmes wrote:

> Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?
>
> For some reason, I periodically get wierd Internet Control Message
> Protocol (ICMP) Type 8 requests on WinXP such as:
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.13.185]. Do you want to allow this program to access the network?
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.221.175].
> Do you want to allow this program to access the network?
>
> I have no idea what these requests are for.
>
> When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
> I find these IP addresses are not registered. Wierd. Then why are they
> sending me an ICMP Type 8 (whatever that is) requests?
>
> OrgName: Asia Pacific Network Information Centre
> OrgID: APNIC
> Address: PO Box 2131
> City: Milton
> StateProv: QLD
> PostalCode: 4064
> Country: AU
>
> I looked up RFC 792 which describes ICMP, but I did not understand it as I
> am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
> know is this thing called ICMP has a code field and a type field. A type 8
> is an "Echo". I have a D-Link wireless router so I wonder why it didn't
> stop this ping of death from reaching my 192.168.0.1 machine.
>
> One of the articles I looked up suggested "netstat -an" but that didn't
> show anything listening of that IP address.
>
> What is an ICMP Type 8 echo request?
> Whom do these IP addresses belong to?
> Should I allow these ICMP Type 8 echo requests or should I deny them?


ICMP echo type 8 is "ping" or more technically speaking it is the first part
of a "ping" ie the icmp echo request and the pc being pinged sends an icmp
echo reply.

The IP address goes back to Japan. It sounds like you have some kind of
"dial home" software or worse.....

Good luck,
Imhotep


Similar ThreadsPosted
Top Ten Concerns to Skype Security October 18, 2005, 11:47 pm
? echo cleartext | sign | enc | pkcs#7 May 30, 2007, 8:03 am
SSH Tunnel Concerns .. July 5, 2004, 8:53 am
BBC links:Privacy Concerns over States/Corporations'Use of Personal Info December 23, 2006, 3:17 am
Re: Some kind of dictionary type attack? January 9, 2008, 6:22 am
Sending CMS SignedData via http - which Content-Type?? March 22, 2005, 8:44 am
Re: Rebooting web server w/o having to type certificate passphrase? June 11, 2007, 2:58 am
Re: Rebooting web server w/o having to type certificate passphrase? June 15, 2007, 1:02 pm
Re: Rebooting web server w/o having to type certificate passphrase? June 24, 2007, 5:28 am
Rebooting web server w/o having to type certificate passphrase? June 11, 2007, 1:43 am

The site map in XML format XML site map

Contact Us | Privacy Policy