ICMP Continuous bombardment

mumpitz · 19 August 2024 21:30

Hi people !

I am currently observing a phenomenon on the Ipfire firewall and wanted to ask how you would rate it.

It is about 2 IP addresses which are localized in Iran and probably belong to an Indian company in US hands, to what extent this is credible, I can not judge.

I use the Geo Block function, where Iran is also selected.

These two IP addresses are permanently listed 24/7 with an ICMP protocol unknown to me in the connection overview. Leasetime is 30 sec, but the connection is constantly re-established. Size is given as over 400Byte, which excludes a packet 0 or 8.

What could this be? Is there a risk that an ICMP tunnel has been created? How do I investigate this? How do I stop this?

Thank you very much in advance for your opinions!

bbitsch · 20 August 2024 07:07

The size doesn’t exclude ping packets ( type 0 or 8 ). ICMP allows an arbitrary payload ( which should be l less than the MTU ).

mumpitz · 20 August 2024 16:33

However, if I look at the 100 other ICMP packets that are occasionally sent from different IP addresses, which are all between 52 bytes and 84 bytes (standards packet sizes), this permanently maintained “connection” stands out with 456 bytes.
A second persistent ICMP connection from green to IPfire comes from a WLan access point with a size of 84 bytes, which I assume is checking the availability of the gateway.

But what is the intention of this IP from Iran? How should I classify it?

bbitsch · 20 August 2024 16:36

To answer your questions, you should record those packets ( tcpdump -w is your friend ) and analyse the content ( wireshark is a tool ).

mumpitz · 20 August 2024 17:25

I have no idea how to use tcpdumb exactly…
I have now entered tcpdump -w red0 and now have a file red0. Opened with nano only cryptic character salad.
Now open the file with wireshark? So far right?

bbitsch · 20 August 2024 18:17

Ok.
The exact way:

recording: tcpdump -i red0 -w icmp.cap ( interface red0, write to icmp.cap ), be sure to catch those long packets, tcpdump gives info about packet count at termination with ctrl-c
transfer /root/icmp.cap to your PC ( WinSCP is a good tool )
Start wireshark. File–>open lets you open your icmp.cap file
Now you can scroll through the packets and read the contents.

I suppose you are using Windows as your desktop.
On IPFire itself you can use tshark -r icmp.cap -V

nickh · 20 August 2024 21:06

You may want to do tcpdump -i red0 icmp -w icmp.cap to just pick up icmp messages. I also use the -nn switch.

mumpitz · 21 August 2024 07:20

Thank you very much,
These seem to be normal ping requests, which are all answered well. Can this be switched off? I don’t know this foreign IP and why is someone checking all the time if my MAC address is connected to this IP?

Btw. with Wireshark you can also use SSH remote capture to write the packets in a file.

Edit: Ok, a very simple solution and at the same time I found out how to get a new IP address from my ISP, which normally almost never changes.
I wanted to change the MAC address of red0, then for the Iran IP the device would have changed to my IP address, but at the same time I was assigned a new IP.
I actually thought the IP was linked to the modem from ISP.
With the new IP, the Iran IP problem has of course been resolved.
Thanks again!