Unsolicited Echo Reply

SOLVED

I keep receiving the following alerts on my Procurve Switches "ip: icmp: Unsolicited Echo Reply from" and the address its from is a local addresses on my net. Sometimes a pc's address, sometimes a RF scanner or whatnot.

Any idea what causes this, how to stop it, or is it something I should consern myself with? I probably get about 5 of these per day across all my switches.

Thanks for any info.
Ron Bombard, Network Admin.
Native Textiles Inc.

Meddle not in the affairs of dragons... for you are crunchy and taste like chicken.

9 REPLIES 9

Hi
This may help:-

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90131/B2355-90131_top.html&con=/hpux/onlinedocs/B2355-90131/00/00/38-con.html&toc=/hpux/onlinedocs/B2355-90131/00/00/38-toc.html&searchterms=echo%7cUnsolicited&queryid=19030521-070836

Also is there one router that all of these devices go through? If so check it out.

Paula

If you can spell SysAdmin then you is one - anon

I'd do a little investigating:

See:

http://www.sans.org/resources/idfaq/traffic.php

Also check out the TFN exploit discussed at:

http://www.sans.org/resources/idfaq/icmp_misuse.php

Ron

Hi

ip: : icmp: Unsolicited Echo Reply from
An unsolicited ICMP reply to a ping was received from that was not sent by the local switch.

The "not sent by the local switch" may help you.

Paula

If you can spell SysAdmin then you is one - anon

Also check out:-

http://www.iss.net/security_center/advice/Intrusions/2000109/default.htm

Paula

If you can spell SysAdmin then you is one - anon

Also check out:-

http://www.iss.net/security_center/advice/Intrusions/2000109/default.htm

and

Unsolicited echo-replies can be a sign of a Smurf ( http://www.cert.org/advisories/CA-1998-01.html)amplification attack.

Paula

If you can spell SysAdmin then you is one - anon

Ron

Please assign points to your previous questions if the answers have assisted you:-

http://forums.itrc.hp.com/cm/TopSolutions/1,,CA302314!1!questions,00.html

;^)

Paula

If you can spell SysAdmin then you is one - anon

So... it would be your guess that this is some sort of "intrusion" of some kind? If that were the case, wouldn't I see more of these alerts, besides just the few per day?

My firewalls allow ICMP stuff, but limit them to 1 per 60 secs.

Is it recommended to disallow ICMP? According to my firewall docs, I can turn it off and it will:

#drop "bad" icmp -- not replying to
# echo requests but still allowing internal
# pings to work correctly.
# It will accept destination-unreachable,
# time-exceeded, and echo-reply -- and
# drop the rest

Will this cause any forseeable problems?

Meddle not in the affairs of dragons... for you are crunchy and taste like chicken.

I'd turn it off at the firewall. It shouldn't bother anything. Worse case you get a call from your ISP saying his Openview went red and you will have to allow it from him but from what you say it won't stop your unexpected echo replies (if they are really coming from the outside) unless you have a filter which drops all incoming packets with a local source address. (You should have such a filter anyway.)

If you already have such a filter or if after adding one they continue to show up then it could be that for some reason the echo requests are going through a different switch than the replies and that is why they are being flagged. Do your PCs and such have multiple NICs?

Could also be a bug in the code which gives false positives. What kind of switch and what version of code are you running?

Ron

I don't have any pcs with multiple nics. except for one linux server thats used for a internet proxy and firewall.

As for my switches and firmware: This is happening on multiple switches. They are all HP Procurve switches with the latest firmware (as of last week).

I'll turn off that ICMP at the firewall and see what happens.

Thanks for the suggestions!

Meddle not in the affairs of dragons... for you are crunchy and taste like chicken.