ICMP Outoging Traffic At CentOS 6.7
Hi,
From last some days I am facing the unexpected huge ICMP traffic is going out from Server.
I have blocked icmp ports in iptables and if I execute the Ping manualy its blocking.
Some process is send this huge traffic. Below is tcpdump output.
===============================
16:23:27.817856 IP (tos 0xc0, ttl 64, id 55278, offset 0, flags [none], proto ICMP (1), length 104)
example.com > ***.***.***.***: ICMP host example.com unreachable –
admin prohibited, length 84
IP (tos 0x0, ttl 56, id 52085, offset 0, flags [DF], proto TCP (6), length 76)
***.***.***.***.5189 > example.com.https: Flags [P.], cksum 0xa427
(correct), seq 2571871600:2571871636, ack 1159342022, win 65535, length 36
===============================
How this can be controlled ?
Thanks,
Shital
6 thoughts on - ICMP Outoging Traffic At CentOS 6.7
…
Drop the incoming traffic in iptables, rather than rejecting it?
Thanks, Dropped the ICMP type 3 port. Now question to find the cause.
Well, based on your tcpdump output, it looks like your rules were rejecting unrelated packets, or tcp/443 packets. It’s hard to be sure since the ICMP was the first packet, so you didn’t show the packet it was actually replying to.
The ICMP traffic is a result of rejecting rather than dropping that traffic. That is, I think you’re looking at the problem wrong. The ICMP traffic is simply the result of a choice you made. Are you dropping type 3 in the output chain?
Yes, now I am dropping packets in OUTPUT chain for type 3. Initially, I
implemented the chain to drop type 0 and 8. But it wont worked and the packets were hitting at firewall for multiple ICMP requests. I didn’t Understand the problem. After posting here I go through all the types of ICMP types where I understand to drop packets for “Host unreachability” . Thanks for your help Mr. Gordon
I assume you also have rules in the INPUT chain, and one of them reads something like this:
-A INPUT -j REJECT –reject-with icmp-host-prohibited
When traffic matches this rule your server will respond with an ICMP
request. it sounds like you now have added a rule blocking your server from sending these responses. You should investigate what is matching the INPUT rule as it could be malicious activity that should be blocked further upstream from you (e.g. at the perimeter firewall)
and if you wish to stop your server sending these responses you should change the rule to DROP instead of REJECT.
Tris
*************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@bgfl.org
The views expressed within this email are those of the individual, and not necessarily those of the organisation
*************************************************************
That’s what it sounded like, but I didn’t want to assume that because it’s absolutely insane. If you don’t want to send ICMP traffic, then drop incoming traffic that you don’t want instead of rejecting it.