ZoneAlarm Secure Wireless Router Z100G Discussion Forum
ZoneAlarm Secure Wireless Router Z100G Discussion Forum
|
|
|
For other ZoneAlarm products click here Our support personnel monitor this forum, however note this is not an official support channel - to contact support, click the button on the right. |
|
sofaware.infopop.cc SofaWare Discussion Groups ZoneAlarm Z100G Secure Wireless Router Strange Security on ICMP Flood|
Go
|
New
|
Find
|
Notify
|
Tools
|
Reply
|
|
Member  |
I was on the Desktop this morning and I see that my personal desktop firewall is showing a PING flood alert.
How did spoofed pings from the Internet reach the desktop? And the Zonealarm log shows some of them dropped. ----DESKTOP FIREWALL --------------------- ICMP : ICMP flood 06/12/2007 06:34:46 AM Event ID: BLINK-BAM-1604 Severity: Medium Description: An ICMP storm has been detected. ICMP Type: 11 Action: Dropped Attacker IP: 172.26.49.254 Victim IP: 192.168.10.48 Length: 36 Alert: Yes Protocol: ICMP Code: 0 ---------------------------------- 172.26.xx.xx is not routable and I imagine it's spoofed. All PC's in my home network are 192.168.10.xx/24 The issue is how did the pings get past the zonealarm router. What is really strange is below at log record 08461 - What is the REPLAY ICMP Error ? From LAN interface of the router 192.168.10.1 to the WAN interface of the rouer 24.178.139.xx -----The zonealarm log reports ------ DROP - 08465 12Jun2007 10:37:38 ICMP 172.26.49.254 [Stateless ICMP] 24.178.139.xx (ZoneAlarm Z100G) 11 (Time exceeded) BLUE 08464 12Jun2007 10:37:23 Start sniffing "Primary Internet (CABLE)" network ALLOW 08463 12Jun2007 10:37:22 TCP 192.168.10.48 (stan) [Custom rule] 4695 85.131.106.108 443 (HTTPS) ALLOW 08462 12Jun2007 10:37:18 TCP 192.168.10.48 (stan) [Custom rule] 4689 207.237.66.115 443 (HTTPS) DROP 08461 12Jun2007 10:37:14 ICMP 192.168.10.1 [Replay ICMP error] 24.178.139.xx (ZoneAlarm Z100G) 11 (Time exceeded) ALLOW 08460 12Jun2007 10:37:06 TCP 192.168.10.48 (stan) [Custom rule] 4679 81.165.149.155 443 (HTTPS) INFO 08459 12Jun2007 10:37:03 Switching to base servers in 10 seconds. Reason: Giveup INFO 08458 12Jun2007 10:37:03 Warning: Connection to the Service Center has failed. DROP 08457 12Jun2007 10:36:52 ICMP 172.26.49.254 [Replay ICMP error] 24.178.139.xx (ZoneAlarm Z100G) 11 (Time exceeded) DROP 08456 12Jun2007 10:36:50 ICMP 172.26.49.254 [Stateless ICMP] 24.178.139.xx (ZoneAlarm Z100G) 11 (Time exceeded) DROP 08455 12Jun2007 10:36:49 ICMP 172.26.49.254 [Stateless ICMP] 24.178.139.xx (ZoneAlarm Z100G) 11 (Time exceeded) |
||
|
|
Member |
Here is a captured packet - Looks like this may be coming from a upstream ISP router/server. 75.137.144.1
Could it be that the 172.26.49.254 address is embedded in the packet? Anyway - the question remains is why the zonealarm router allowed the packets through to the desktop - (SNIFFER run on zonealarm - on the Cable interface) No. Time Source Destination Protocol Info 33 11.031754 172.26.49.254 192.168.10.48 ICMP Time-to-live exceeded (Time t Frame 33 (70 bytes on wire, 70 bytes captured) Arrival Time: Jun 12, 2007 06:37:34.174847000 Time delta from previous packet: 11.031754000 seconds Time since reference or first frame: 11.031754000 seconds Frame Number: 33 Packet Length: 70 bytes Capture Length: 70 bytes Protocols in frame: eth:ip:icmp:ip:tcp Ethernet II, Src: 75.137.144.1 (00:13:5f:06:89:05), Dst: 24.178.139.xx (00:04:e2:4a:6b:8b) Destination: 24.178.139.xx (00:04:e2:4a:6b:8b) Source: 75.137.144.1 (00:13:5f:06:89:05) Type: IP (0x0800) Internet Protocol, Src: 172.26.49.254 (172.26.49.254), Dst: 192.168.10.48 (192.168.10.48) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x0000 (0) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 253 Protocol: ICMP (0x01) Header checksum: 0x14d4 [correct] Good: True Bad : False Source: 172.26.49.254 (172.26.49.254) Destination: 192.168.10.48 (192.168.10.48) Internet Control Message Protocol Type: 11 (Time-to-live exceeded) Code: 0 (Time to live exceeded in transit) Checksum: 0xff14 [correct] Internet Protocol, Src: 192.168.10.48 (192.168.10.48), Dst: 207.237.66.115 (207.237.66.115) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 48 Identification: 0x710c (28940) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 1 Protocol: TCP (0x06) Header checksum: 0x2b83 [correct] Good: True Bad : False Source: 192.168.10.48 (192.168.10.48) Destination: 207.237.66.115 (207.237.66.115) Transmission Control Protocol, Src Port: 4687 (4687), Dst Port: 10877 (10877) Source port: 4687 (4687) Destination port: 10877 (10877) |
|||
|
Advanced Member |
I'm guessing, but one is the Sofaware Server and the other is your ISP. Looks like your router (server) is looking for the Sofaware Server.
the rocket |
|||
|
| Powered by Eve Community |
 | Please Wait. Your request is being processed... |
|
sofaware.infopop.cc SofaWare Discussion Groups ZoneAlarm Z100G Secure Wireless Router Strange Security on ICMP Flood | View $GS_USERNAME's Public Profile |
| Add $GS_USERNAME to my Ignore List |
| View Recent Posts by $GS_USERNAME |
| Notify me of New Posts by $GS_USERNAME |