Go Back   Wireless and Wifi Forums > News > Newsgroups > comp.security.misc
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-11-2005, 05:39 AM
Scott Holmes
Guest
 
Posts: n/a
Default ICMP Type 8 Echo Request packet security concerns

Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?

For some reason, I periodically get wierd Internet Control Message Protocol
(ICMP) Type 8 requests on WinXP such as:

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to
[202.232.221.175].
Do you want to allow this program to access the network?

I have no idea what these requests are for.

When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
I find these IP addresses are not registered. Wierd. Then why are they
sending me an ICMP Type 8 (whatever that is) requests?

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

I looked up RFC 792 which describes ICMP, but I did not understand it as I
am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
know is this thing called ICMP has a code field and a type field. A type 8
is an "Echo". I have a D-Link wireless router so I wonder why it didn't
stop this ping of death from reaching my 192.168.0.1 machine.

One of the articles I looked up suggested "netstat -an" but that didn't
show anything listening of that IP address.

What is an ICMP Type 8 echo request?
Whom do these IP addresses belong to?
Should I allow these ICMP Type 8 echo requests or should I deny them?

Reply With Quote
  #2 (permalink)  
Old 10-11-2005, 06:15 AM
Walter Roberson
Guest
 
Posts: n/a
Default Re: ICMP Type 8 Echo Request packet security concerns

In article <pokecae7etnd.qyxawhntahow$.dlg@40tude.net>,
Scott Holmes <sholmes@nntp_texas.ti.com> wrote:
>NT Kernel System (ntoskrnl.exe)
>is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].


>[202.232.221.175].


>When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
>I find these IP addresses are not registered.


202.232.221.175 is registered to Toshiba.

202.232.13.185 is registered to IIJ Internet, which happens to
bhe the ISP providing DNS service for the Toshiba block immediately
above.

Do you have some Toshiba related equipment? Possibly including
some software that might be periodically checking for updated
drivers or updated software utilities?
--
Programming is what happens while you're busy making other plans.

Reply With Quote
  #3 (permalink)  
Old 10-11-2005, 06:42 AM
Roger Abell [MVP]
Guest
 
Posts: n/a
Default Re: ICMP Type 8 Echo Request packet security concerns

Keep in mind that a number of firewall products only report the
last process in the chain that causes the communication attempt.
That this is part of the OS is because that is the "owner" of the
hardware, in this case the networking interfaces. This superficial
reporting by these products does not help one understand that it
is something running that has asked the OS to do this, very often
third-party software.


"Scott Holmes" <sholmes@nntp_texas.ti.com> wrote in message
news:pokecae7etnd.qyxawhntahow$.dlg@40tude.net...
> Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?
>
> For some reason, I periodically get wierd Internet Control Message
> Protocol
> (ICMP) Type 8 requests on WinXP such as:
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.13.185].
> Do you want to allow this program to access the network?
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.221.175].
> Do you want to allow this program to access the network?
>
> I have no idea what these requests are for.
>
> When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
> I find these IP addresses are not registered. Wierd. Then why are they
> sending me an ICMP Type 8 (whatever that is) requests?
>
> OrgName: Asia Pacific Network Information Centre
> OrgID: APNIC
> Address: PO Box 2131
> City: Milton
> StateProv: QLD
> PostalCode: 4064
> Country: AU
>
> I looked up RFC 792 which describes ICMP, but I did not understand it as I
> am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
> know is this thing called ICMP has a code field and a type field. A type 8
> is an "Echo". I have a D-Link wireless router so I wonder why it didn't
> stop this ping of death from reaching my 192.168.0.1 machine.
>
> One of the articles I looked up suggested "netstat -an" but that didn't
> show anything listening of that IP address.
>
> What is an ICMP Type 8 echo request?
> Whom do these IP addresses belong to?
> Should I allow these ICMP Type 8 echo requests or should I deny them?




Reply With Quote
  #4 (permalink)  
Old 10-11-2005, 08:56 AM
Volker Birk
Guest
 
Posts: n/a
Default Re: ICMP Type 8 Echo Request packet security concerns

In comp.security.firewalls Scott Holmes <sholmes@nntp_texas.ti.com> wrote:
> Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?
> For some reason, I periodically get wierd Internet Control Message Protocol
> (ICMP) Type 8 requests on WinXP such as:
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
> Do you want to allow this program to access the network?
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.221.175].
> Do you want to allow this program to access the network?
> I have no idea what these requests are for.


Why do you drive a software, which asks you questions you don't understand?
This does not make you more secure in any way.

> What is an ICMP Type 8 echo request?


See RFC 792. It's for network testing.

> Whom do these IP addresses belong to?


Both belong to Internet Initiative Japan Inc.

> Should I allow these ICMP Type 8 echo requests or should I deny them?


You could allow them. You could deny them. But why are you sending them?

F'up2csf, where it is on-topic.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

Reply With Quote
  #5 (permalink)  
Old 10-12-2005, 12:28 AM
Imhotep
Guest
 
Posts: n/a
Default Re: ICMP Type 8 Echo Request packet security concerns

Scott Holmes wrote:

> Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?
>
> For some reason, I periodically get wierd Internet Control Message
> Protocol (ICMP) Type 8 requests on WinXP such as:
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.13.185]. Do you want to allow this program to access the network?
>
> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.221.175].
> Do you want to allow this program to access the network?
>
> I have no idea what these requests are for.
>
> When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
> I find these IP addresses are not registered. Wierd. Then why are they
> sending me an ICMP Type 8 (whatever that is) requests?
>
> OrgName: Asia Pacific Network Information Centre
> OrgID: APNIC
> Address: PO Box 2131
> City: Milton
> StateProv: QLD
> PostalCode: 4064
> Country: AU
>
> I looked up RFC 792 which describes ICMP, but I did not understand it as I
> am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
> know is this thing called ICMP has a code field and a type field. A type 8
> is an "Echo". I have a D-Link wireless router so I wonder why it didn't
> stop this ping of death from reaching my 192.168.0.1 machine.
>
> One of the articles I looked up suggested "netstat -an" but that didn't
> show anything listening of that IP address.
>
> What is an ICMP Type 8 echo request?
> Whom do these IP addresses belong to?
> Should I allow these ICMP Type 8 echo requests or should I deny them?



ICMP echo type 8 is "ping" or more technically speaking it is the first part
of a "ping" ie the icmp echo request and the pc being pinged sends an icmp
echo reply.

The IP address goes back to Japan. It sounds like you have some kind of
"dial home" software or worse.....

Good luck,
Imhotep

Reply With Quote
  #6 (permalink)  
Old 10-12-2005, 03:04 PM
jameshanley39@yahoo.co.uk
Guest
 
Posts: n/a
Default Re: ICMP Type 8 Echo Request packet security concerns


Scott Holmes wrote:
> Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?



yes, it's fine, there's no risk. There might be a risk to them if you
were trying to attack them! But there isn't mcuh tyou can do with ping
alone.

open a command prompt and type
C:\WINDOWS> ping www.google.com <ENTER>

now you'll be sending ICMP messages to www.google.com and those
messagea will ave been generated by the ping program.



> For some reason, I periodically get wierd Internet Control Message Protocol
> (ICMP) Type 8 requests on WinXP such as:


You'll gets lots and lots of different outgoing things. ICMP
messages(like you described), And outgoing TCP connections (e.g.
connecting to a computer at port 80)

For ICMP you needn't worry. They carry no data, only codes.
Mostly you needn't worry. If a process is sending packets or messages
out, then you see if it's a windows process, in which case it's
probably fine - nuless it has been compromised. And if it's not a
windows process and it bothers you, then google and i'm sure you'll
find out soon enough if it's spyware. sending harmless advertising data
out.

Either way, it's not big deal. If your computer is slowing down then
you have spyware. Outgoign connections that your firewal warns you
about are - at worst - spyware. But most of the outgoing traffic is
legitimate. Hence you should allow windows processes and hyour browser
and other trusted programs to send whatever they want outwards.

> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
> Do you want to allow this program to access the network?


a)a windows process - so it you should really trusted unless you have
reason no to i.e. unless you think it has been compromised
b)it's sending something outwards, not even any personal data in an
ICMP.

It's just a emssage to test if a remote computer on the internet is up
and running

> NT Kernel System (ntoskrnl.exe)
> is trying to send an ICMP Type 8 (Echo Request) packet to
> [202.232.221.175].
> Do you want to allow this program to access the network?
>
> I have no idea what these requests are for.


so you should google around and as soon as you don't see "SPYWARE
SPYWARE" all over the place in the results, you assume it's fine.


<snip>
> One of the articles I looked up suggested "netstat -an" but that didn't
> show anything listening of that IP address.


that only applies to UDP and TCP. They show servers listening.

ICMP works at a lower level. It isn't displayed by netstat, doesn't use
ports, doesn't use listening servers


> What is an ICMP Type 8 echo request?


a message intended to reach a host and requesting that the host reply
to say it is online

it's a free country. you can send ICMP messages yourself. ping command.

> Whom do these IP addresses belong to?


somebody posted toshiba and an isp or something, so maybe you did the
lookup wrong.

> Should I allow these ICMP Type 8 echo requests or should I deny them?


allow. Otherwise the legitimate trusted processes trying to send them
will not know what's going on, and may not continue to do what they
were intended to do, and what they were intended to do is most probably
for your benefit.


Reply With Quote
  #7 (permalink)  
Old 10-14-2005, 02:15 PM
jameshanley39@yahoo.co.uk
Guest
 
Posts: n/a
Default Re: ICMP Type 8 Echo Request packet security concerns


jameshanley39@yahoo.co.uk wrote:
> Scott Holmes wrote:
> > Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?

>
>

<snip>

and really. as people have said before. You shouldn't block outgoing.
You would only monitor outgoing if you are technically interested, but
even then, it's a nuisance to have popups hassling you while you're
trying to use your computer. There'll be loads of outgoing messages
coming up, you dont' want popups interrupting you all the time. Just
Allow the process NTKernel.exe or whatever it is called, so it won't
ask you next time.

The windows firewall is ok too. I particularly like Sygate's port
logger, but Sygate has a few security issues mentioned in prev threads.
And of course the windows firewall is going to be a bit of a target.
But I think either of them are fine as a PFW - i.e. for those that use
PFWs. IF you want more security you probably have to go more technical
(linux firewall) or more expensive(checkpoint or watchguard firewall).
If it's any consolation, I am stuck with a PFW.


Reply With Quote
  #8 (permalink)  
Old 10-14-2005, 02:18 PM
jameshanley39@yahoo.co.uk
Guest
 
Posts: n/a
Default Re: ICMP Type 8 Echo Request packet security concerns


Roger Abell [MVP] wrote:
> Keep in mind that a number of firewall products only report the
> last process in the chain that causes the communication attempt.
> That this is part of the OS is because that is the "owner" of the
> hardware, in this case the networking interfaces. This superficial
> reporting by these products does not help one understand that it
> is something running that has asked the OS to do this, very often
> third-party software.
>


what would show the full chain? something like sysinternals 'process
explorer'? or any particular software firewall?


Reply With Quote
Reply


« SSL-Zertifikat, welche Daten erfragen?? | Signs and symptoms? »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Corrupt NTFS filesystem Citizen Bob alt.comp.hardware 144 11-11-2006 07:38 PM
PEAP/MSCHAPv2 authentication problems(1) sheng Security 9 08-22-2006 05:30 PM
FBI Monitoring Your Computer And Reading Material re. Patriot Act tightwad alt.computer.security 2 11-08-2005 09:21 AM
The Sidewinder G2 Security Appliance includes the only firewall that has never had a CERT advisory posted against it Ipeefreely alt.computer.security 5 10-08-2005 09:15 PM
Call For Chapter - Book in Enterprise IT Security : Invitation for chapter proposal Francine HERRMANN comp.security.misc 0 08-29-2005 05:00 PM


All times are GMT. The time now is 09:32 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45