https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978423#M575573 I keep receiving the following alerts on my Procurve Switches "ip: icmp: Unsolicited Echo Reply from" and the address its from is a local addresses on my net. Sometimes a pc's address, sometimes a RF scanner or whatnot. <BR /><BR />Any idea what causes this, how to stop it, or is it something I should consern myself with? I probably get about 5 of these per day across all my switches.<BR /><BR />Thanks for any info.<BR />Ron Bombard, Network Admin.<BR />Native Textiles Inc.<BR /> Wed, 21 May 2003 12:00:50 GMT Ron Bombard 2003-05-21T12:00:50Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978423#M575573 I keep receiving the following alerts on my Procurve Switches "ip: icmp: Unsolicited Echo Reply from" and the address its from is a local addresses on my net. Sometimes a pc's address, sometimes a RF scanner or whatnot. <BR /><BR />Any idea what causes this, how to stop it, or is it something I should consern myself with? I probably get about 5 of these per day across all my switches.<BR /><BR />Thanks for any info.<BR />Ron Bombard, Network Admin.<BR />Native Textiles Inc.<BR /> Wed, 21 May 2003 12:00:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978423#M575573 Ron Bombard 2003-05-21T12:00:50Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978424#M575574 Hi<BR />This may help:-<BR /><BR /><A href="http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90131/B2355-90131_top.html&amp;con=/hpux/onlinedocs/B2355-90131/00/00/38-con.html&amp;toc=/hpux/onlinedocs/B2355-90131/00/00/38-toc.html&amp;searchterms=echo%7cUnsolicited&amp;queryid=19030521-070836" target="_blank">http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90131/B2355-90131_top.html&amp;con=/hpux/onlinedocs/B2355-90131/00/00/38-con.html&amp;toc=/hpux/onlinedocs/B2355-90131/00/00/38-toc.html&amp;searchterms=echo%7cUnsolicited&amp;queryid=19030521-070836</A><BR /><BR /><BR />Also is there one router that all of these devices go through? If so check it out.<BR /><BR />Paula Wed, 21 May 2003 12:13:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978424#M575574 Paula J Frazer-Campbell 2003-05-21T12:13:46Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978425#M575575 I'd do a little investigating: <BR /><BR />See:<BR /><BR /><A href="http://www.sans.org/resources/idfaq/traffic.php" target="_blank">http://www.sans.org/resources/idfaq/traffic.php</A><BR /><BR />Also check out the TFN exploit discussed at:<BR /><BR /><A href="http://www.sans.org/resources/idfaq/icmp_misuse.php" target="_blank">http://www.sans.org/resources/idfaq/icmp_misuse.php</A><BR /><BR />Ron<BR /><BR /><BR /> Wed, 21 May 2003 12:36:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978425#M575575 Ron Kinner 2003-05-21T12:36:39Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978426#M575576 Hi<BR /><BR />ip: <VLAN>: icmp: Unsolicited Echo Reply from <IP address=""><BR />An unsolicited ICMP reply to a ping was received from <IP address=""> that was not sent by the local switch.<BR /><BR />The "not sent by the local switch" may help you.<BR /><BR /><BR />Paula<BR /></IP></IP></VLAN> Wed, 21 May 2003 12:52:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978426#M575576 Paula J Frazer-Campbell 2003-05-21T12:52:39Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978427#M575577 Also check out:-<BR /><BR /><BR /><A href="http://www.iss.net/security_center/advice/Intrusions/2000109/default.htm" target="_blank">http://www.iss.net/security_center/advice/Intrusions/2000109/default.htm</A><BR /><BR /><BR />Paula Wed, 21 May 2003 12:54:16 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978427#M575577 Paula J Frazer-Campbell 2003-05-21T12:54:16Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978428#M575578 Also check out:-<BR /><BR /><BR /><A href="http://www.iss.net/security_center/advice/Intrusions/2000109/default.htm" target="_blank">http://www.iss.net/security_center/advice/Intrusions/2000109/default.htm</A><BR /><BR />and <BR /><BR />Unsolicited echo-replies can be a sign of a Smurf ( <A href="http://www.cert.org/advisories/CA-1998-01.html)amplification" target="_blank">http://www.cert.org/advisories/CA-1998-01.html)amplification</A> attack.<BR /><BR /><BR />Paula Wed, 21 May 2003 12:56:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978428#M575578 Paula J Frazer-Campbell 2003-05-21T12:56:18Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978429#M575579 Ron<BR /><BR /><BR />Please assign points to your previous questions if the answers have assisted you:-<BR /><BR /><A href="http://forums.itrc.hp.com/cm/TopSolutions/1,,CA302314!1!questions,00.html" target="_blank">http://forums.itrc.hp.com/cm/TopSolutions/1,,CA302314!1!questions,00.html</A><BR /><BR />;^)<BR /><BR /><BR />Paula Wed, 21 May 2003 13:00:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978429#M575579 Paula J Frazer-Campbell 2003-05-21T13:00:07Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978430#M575580 So... it would be your guess that this is some sort of "intrusion" of some kind? If that were the case, wouldn't I see more of these alerts, besides just the few per day?<BR /><BR />My firewalls allow ICMP stuff, but limit them to 1 per 60 secs.<BR /><BR />Is it recommended to disallow ICMP? According to my firewall docs, I can turn it off and it will: <BR /><BR />#drop "bad" icmp -- not replying to<BR /># echo requests but still allowing internal<BR /># pings to work correctly.<BR /># It will accept destination-unreachable,<BR /># time-exceeded, and echo-reply -- and<BR /># drop the rest<BR /><BR />Will this cause any forseeable problems? Wed, 21 May 2003 14:10:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978430#M575580 Ron Bombard 2003-05-21T14:10:50Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978431#M575581 I'd turn it off at the firewall. It shouldn't bother anything. Worse case you get a call from your ISP saying his Openview went red and you will have to allow it from him but from what you say it won't stop your unexpected echo replies (if they are really coming from the outside) unless you have a filter which drops all incoming packets with a local source address. (You should have such a filter anyway.)<BR /><BR />If you already have such a filter or if after adding one they continue to show up then it could be that for some reason the echo requests are going through a different switch than the replies and that is why they are being flagged. Do your PCs and such have multiple NICs?<BR /><BR />Could also be a bug in the code which gives false positives. What kind of switch and what version of code are you running?<BR /><BR />Ron Wed, 21 May 2003 14:45:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978431#M575581 Ron Kinner 2003-05-21T14:45:09Z https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978432#M575582 I don't have any pcs with multiple nics. except for one linux server thats used for a internet proxy and firewall.<BR /><BR />As for my switches and firmware: This is happening on multiple switches. They are all HP Procurve switches with the latest firmware (as of last week). <BR /><BR />I'll turn off that ICMP at the firewall and see what happens.<BR /><BR />Thanks for the suggestions! Wed, 21 May 2003 15:04:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/unsolicited-echo-reply/m-p/2978432#M575582 Ron Bombard 2003-05-21T15:04:58Z