Menu
What's new
By:
Filters Better Search

Tonnes of Incoming ICMP bypassing Router and hitting my Lan

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dugaduga

dugaduga

Senior Member
Win 10 X64. I notice this particularly when using bittorrent; Why is the router letting this through? Oddly for a while I noticed my PC was responding to these pings for 10 minutes after shutting down bittorrent. In windows 7 everything shut up after closing bittorrent. A reboot of the router stopped it. Block (ALL) incoming was enabled in group policy, "no ICMP exceptions" enabled in group policy. Added an extra block incoming (all) firewall rule to block everything just for extra measure... and yet this was all happening. After a reboot my firewall started dropping them again.

I was also seeing a lot of ICMP incoming from my WAN IP to my subnet IP. Perhaps packets that were generated to look like my wan IP anyway; given anything could get through, it could be foreign too. There were incoming Wan to Subnet IP ICMP + UDP 8999 bittorrent packets.

@RMerlin is this normal AsusWRT-Merlin behavior? "Respond ICMP Echo (ping) Request from WAN" is disabled on the router, is it supposed to silently allow those packets through?

I've also got a machine arping to 127.0.0.0 on the lan XArp is flagging.

Using 384.10_BcraFFY-test2-geb1052481b
 
Last edited:
Technically impossible, since ICMP is not NATed. Any ICMP sent at the router's IP ends at the router.

The WAN parameter only determines if the router responds to pings or not. Those pings do not travel through the LAN, they are aimed at the router's WAN interface.
 
dugaduga said:
Win 10 X64. I notice this particularly when using bittorrent; Why is the router letting this through? Oddly for a while I noticed my PC was responding to these pings for 10 minutes after shutting down bittorrent. In windows 7 everything shut up after closing bittorrent. A reboot of the router stopped it. Block (ALL) incoming was enabled in group policy, "no ICMP exceptions" enabled in group policy. Added an extra block incoming (all) firewall rule to block everything just for extra measure... and yet this was all happening. After a reboot my firewall started dropping them again.

I was also seeing a lot of ICMP incoming from my WAN IP to my subnet IP. Perhaps packets that were generated to look like my wan IP anyway; given anything could get through, it could be foreign too. There were incoming Wan to Subnet IP ICMP + UDP 8999 bittorrent packets.

@RMerlin is this normal AsusWRT-Merlin behavior? "Respond ICMP Echo (ping) Request from WAN" is disabled on the router, is it supposed to silently allow those packets through?

I've also got a machine arping to 127.0.0.0 on the lan XArp is flagging.

Using 384.10_BcraFFY-test2-geb1052481b
Click to expand...

In order for torrent to work it has to be able to go through firewall, do you see any remote connections which is established by peer to your client, instead by you?
 
Last edited:
Yes @Hawk, its a combination of everything, including packets that look like my WAN IP sending UDP 8999 & ICMP back to my own subnet.

So @RMerlin you are saying this is Technically impossible? (previously they were reachable and constantly responding back long after closing bittorrent even though ICMP was ALSO blocked by Group Policy/Windows Firewall) windows 7 never had this issue, ever; the parasites never got near my PC in 8 months; windows 10 is horrendous; they were in my shadowssdt within no time;

BT-ICMP.png
 
Last edited:
So then these have been NATed on my router somehow? How do I determine the settings on the router which could be causing these "technically impossible" incoming ICMP packets to bypass AsusWRT's alleged protections and leak into the internal lan?
 
Last edited:
Just a guess, do you have upnp activated on the router..?
 
No UPNP/Samba/Itunes/FTP/AVAHI or server of any kind, no ssh from WAN. I did receive incoming attacks from asus.com recently, to internal lan devices. Anything out of the ordinary below?

Code: 
@RT-AC66U_B1-8B00:/tmp/var/run# ls
amas_lib.pid               disk_monitor.pid      infosvr.pid           lldpd.pid               nt_actMail_socket     protect_srv.pid           usbled.pid
bwdpi_check.pid       dnsmasq.pid                klogd.pid             lldpd.socket          nt_center.pid             protect_srv_socket    wanduck.pid
bwdpi_wred_alive.pid  dropbear.pid          lld2c-br0.pid       lpdparent.pid       nt_center_socket      syslogd.pid                  watchdog.pid
cfg_server.pid            httpd-443.pid             lld2d-br0.pid       networkmap.pid  nt_monitor.pid         u2ec.pid                        wpsaide.pid
crond.pid                     httpd.pid                     lldpd                      nt_actMail.pid     ntp.pid                         udhcpc0.pid

Code: 
@RT-AC66U_B1-8B00:/tmp/home/root# ps
  PID USER       VSZ STAT COMMAND
    1 asus2111  7748 S    /sbin/preinit
    2 asus2111     0 SW   [kthreadd]
    3 asus2111     0 SW   [ksoftirqd/0]
    4 asus2111     0 SW   [kworker/0:0]
    5 asus2111     0 SW   [kworker/u:0]
    6 asus2111     0 SW   [migration/0]
    7 asus2111     0 SW   [migration/1]
    8 asus2111     0 SW   [kworker/1:0]
    9 asus2111     0 SW   [ksoftirqd/1]
   10 asus2111     0 SW<  [khelper]
   11 asus2111     0 SW   [sync_supers]
   12 asus2111     0 SW   [bdi-default]
   13 asus2111     0 SW<  [kblockd]
   14 asus2111     0 SW   [kswapd0]
   15 asus2111     0 SW   [fsnotify_mark]
   16 asus2111     0 SW<  [crypto]
   24 asus2111     0 SW   [mtdblock0]
   25 asus2111     0 SW   [mtdblock1]
   26 asus2111     0 SW   [mtdblock2]
   27 asus2111     0 SW   [mtdblock3]
   28 asus2111     0 SW   [kworker/u:1]
   35 asus2111     0 SW   [kworker/0:1]
   36 asus2111     0 SW   [kworker/1:1]
   37 asus2111     0 SW   [mtdblock4]
   38 asus2111     0 SW   [mtdblock5]
   40 asus2111   664 S    hotplug2 --persistent --no-coldplug
   91 asus2111  7736 S    console
   97 asus2111     0 SWN  [jffs2_gcd_mtd4]
  121 asus2111  1428 S    {manager} /bin/sh /jffs/dnscrypt/manager monitor-sta
  127 asus2111  784m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/
  194 asus2111  7744 S    /sbin/wanduck
  204 asus2111  5064 S    nt_monitor
  205 asus2111  2068 S    protect_srv
  215 asus2111  2068 S    protect_srv
  216 asus2111  2068 S    protect_srv
  220 asus2111  5064 S    nt_monitor
  221 asus2111  5064 S    nt_monitor
  224 asus2111  5204 S    nt_center
  228 asus2111  5204 S    nt_center
  229 asus2111  5204 S    nt_center
  230 asus2111  1268 S    /bin/eapd
  232 asus2111  7740 S    wpsaide
  233 asus2111  2140 S    /usr/sbin/wlc_nt
  236 asus2111  1752 S    nas
  243 asus2111  2260 S    /usr/sbin/wlceventd
  244 asus2111  5064 S    nt_monitor
  246 asus2111  1672 S    nt_actMail
  249 asus2111  1672 S    nt_actMail
  250 asus2111  1672 S    nt_actMail
  263 asus2111  1408 S    /usr/sbin/acsd
  330 asus2111  1436 S    crond -l 9
  331 asus2111  9912 S    httpds -s -i br0
  332 asus2111  7640 S    httpd -i br0
  333 asus2111  1240 S    /usr/sbin/infosvr br0
  335 asus2111  1256 S    sysstate
  336 asus2111  7740 S    watchdog
  341 asus2111  2824 S    rstats
  353 asus2111  1280 S    lld2d br0
  355 asus2111  6196 S    networkmap --bootwait
  357 asus2111  7740 S    bwdpi_check
  407 asus2111  1492 S    lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*
  411 nobody    1464 S    lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*
  415 asus2111  3828 S    cfg_server
  436 asus2111  7764 S    amas_lib
  469 asus2111  3828 S    cfg_server
  472 asus2111  3828 S    cfg_server
  483 asus2111     0 SW   [khubd]
  577 asus2111  7740 S    ntp
  593 asus2111     0 SW   [scsi_eh_0]
  596 asus2111     0 SW   [usb-storage]
  661 asus2111  7740 S    usbled
  662 asus2111  2436 S    u2ec
  663 asus2111  1312 S    lpd br0
  674 asus2111  2436 S    u2ec
  675 asus2111  2436 S    u2ec
  755 asus2111  7740 S    disk_monitor
  781 asus2111     0 SW   [flush-8:0]
  814 nobody    6420 S    pixelserv-tls 192.168.50.2 -l 2
 1649 asus2111  2956 S    wred -B
 1650 asus2111  2956 S    wred -B
 1651 asus2111  2956 S    wred -B
 1741 asus2111  7740 S    bwdpi_wred_alive
 1774 asus2111  2956 S    wred -B
 1776 asus2111  2956 S    wred -B
 1777 asus2111  2956 S    wred -B
 1778 asus2111  2956 S    wred -B
 1779 asus2111  2956 S    wred -B
 1780 asus2111  2956 S    wred -B
 1781 asus2111  2956 S    wred -B
 1782 asus2111  2956 S    wred -B
 1872 asus2111  7764 S    amas_lib
 1886 asus2111  1428 S    /sbin/udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp
 5585 asus2111     0 SW   [flush-mtd-unmap]
 6140 asus2111  1412 S    /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 7
 6149 asus2111  1416 S    /sbin/klogd -c 5
 6155 asus2111  1148 S    dropbear -p 192.168.50.1:22 -s -j -k
 7518 asus2111  1176 S    dropbear -p 192.168.50.1:22 -s -j -k
 7823 asus2111  1424 S    -sh
 8176 nobody   44900 S    dnsmasq --log-async
 8177 asus2111  1256 S    dnsmasq --log-async
 8931 asus2111  1408 S    sleep 10
 8932 asus2111  1176 R    dropbear -p 192.168.50.1:22 -s -j -k
 8933 asus2111  1428 S    -sh
 8940 asus2111  7764 S    amas_lib
 8941 asus2111  1416 R    ps

Code: 
@RT-AC66U_B1-8B00:/tmp/home/root# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 12699 packets, 1175K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3009  202K VSERVER    all  --  *      *       0.0.0.0/0            **.**.168.**(wan IP)
  967 62059 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:192.168.50.1
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:192.168.50.1

Chain INPUT (policy ACCEPT 1988 packets, 112K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 771 packets, 182K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 770 packets, 182K bytes)
 pkts bytes target     prot opt in     out     source               destination
 9231 1109K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
 8889  930K MASQUERADE  all  --  *      eth0   !**.**.168.**(wan IP)0.0.0.0/0
    1   328 MASQUERADE  all  --  *      br0     192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3009  202K VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

I see VUPNP & VSERVER there, is that safe? The router is the only device on the network currently acting strange; it was persisting in these activities after rebooting, it then locked me out for a while, giving "permission denied" via putty & tls browser connection (am using the latest 384.10 test 2. I'm still receiving incoming ICMP.
 
Last edited:
dugaduga said:
No UPNP/Samba/Itunes/FTP/AVAHI or server of any kind, no ssh from WAN. I did receive incoming attacks from asus.com recently, to internal lan devices. Anything out of the ordinary below?

Code: 
@RT-AC66U_B1-8B00:/tmp/var/run# ls
amas_lib.pid               disk_monitor.pid      infosvr.pid           lldpd.pid               nt_actMail_socket     protect_srv.pid           usbled.pid
bwdpi_check.pid       dnsmasq.pid                klogd.pid             lldpd.socket          nt_center.pid             protect_srv_socket    wanduck.pid
bwdpi_wred_alive.pid  dropbear.pid          lld2c-br0.pid       lpdparent.pid       nt_center_socket      syslogd.pid                  watchdog.pid
cfg_server.pid            httpd-443.pid             lld2d-br0.pid       networkmap.pid  nt_monitor.pid         u2ec.pid                        wpsaide.pid
crond.pid                     httpd.pid                     lldpd                      nt_actMail.pid     ntp.pid                         udhcpc0.pid

Code: 
@RT-AC66U_B1-8B00:/tmp/home/root# ps
  PID USER       VSZ STAT COMMAND
    1 asus2111  7748 S    /sbin/preinit
    2 asus2111     0 SW   [kthreadd]
    3 asus2111     0 SW   [ksoftirqd/0]
    4 asus2111     0 SW   [kworker/0:0]
    5 asus2111     0 SW   [kworker/u:0]
    6 asus2111     0 SW   [migration/0]
    7 asus2111     0 SW   [migration/1]
    8 asus2111     0 SW   [kworker/1:0]
    9 asus2111     0 SW   [ksoftirqd/1]
   10 asus2111     0 SW<  [khelper]
   11 asus2111     0 SW   [sync_supers]
   12 asus2111     0 SW   [bdi-default]
   13 asus2111     0 SW<  [kblockd]
   14 asus2111     0 SW   [kswapd0]
   15 asus2111     0 SW   [fsnotify_mark]
   16 asus2111     0 SW<  [crypto]
   24 asus2111     0 SW   [mtdblock0]
   25 asus2111     0 SW   [mtdblock1]
   26 asus2111     0 SW   [mtdblock2]
   27 asus2111     0 SW   [mtdblock3]
   28 asus2111     0 SW   [kworker/u:1]
   35 asus2111     0 SW   [kworker/0:1]
   36 asus2111     0 SW   [kworker/1:1]
   37 asus2111     0 SW   [mtdblock4]
   38 asus2111     0 SW   [mtdblock5]
   40 asus2111   664 S    hotplug2 --persistent --no-coldplug
   91 asus2111  7736 S    console
   97 asus2111     0 SWN  [jffs2_gcd_mtd4]
  121 asus2111  1428 S    {manager} /bin/sh /jffs/dnscrypt/manager monitor-sta
  127 asus2111  784m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/
  194 asus2111  7744 S    /sbin/wanduck
  204 asus2111  5064 S    nt_monitor
  205 asus2111  2068 S    protect_srv
  215 asus2111  2068 S    protect_srv
  216 asus2111  2068 S    protect_srv
  220 asus2111  5064 S    nt_monitor
  221 asus2111  5064 S    nt_monitor
  224 asus2111  5204 S    nt_center
  228 asus2111  5204 S    nt_center
  229 asus2111  5204 S    nt_center
  230 asus2111  1268 S    /bin/eapd
  232 asus2111  7740 S    wpsaide
  233 asus2111  2140 S    /usr/sbin/wlc_nt
  236 asus2111  1752 S    nas
  243 asus2111  2260 S    /usr/sbin/wlceventd
  244 asus2111  5064 S    nt_monitor
  246 asus2111  1672 S    nt_actMail
  249 asus2111  1672 S    nt_actMail
  250 asus2111  1672 S    nt_actMail
  263 asus2111  1408 S    /usr/sbin/acsd
  330 asus2111  1436 S    crond -l 9
  331 asus2111  9912 S    httpds -s -i br0
  332 asus2111  7640 S    httpd -i br0
  333 asus2111  1240 S    /usr/sbin/infosvr br0
  335 asus2111  1256 S    sysstate
  336 asus2111  7740 S    watchdog
  341 asus2111  2824 S    rstats
  353 asus2111  1280 S    lld2d br0
  355 asus2111  6196 S    networkmap --bootwait
  357 asus2111  7740 S    bwdpi_check
  407 asus2111  1492 S    lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*
  411 nobody    1464 S    lldpd -L /usr/sbin/lldpcli -I vlan1,eth1,eth2,wds0.*
  415 asus2111  3828 S    cfg_server
  436 asus2111  7764 S    amas_lib
  469 asus2111  3828 S    cfg_server
  472 asus2111  3828 S    cfg_server
  483 asus2111     0 SW   [khubd]
  577 asus2111  7740 S    ntp
  593 asus2111     0 SW   [scsi_eh_0]
  596 asus2111     0 SW   [usb-storage]
  661 asus2111  7740 S    usbled
  662 asus2111  2436 S    u2ec
  663 asus2111  1312 S    lpd br0
  674 asus2111  2436 S    u2ec
  675 asus2111  2436 S    u2ec
  755 asus2111  7740 S    disk_monitor
  781 asus2111     0 SW   [flush-8:0]
  814 nobody    6420 S    pixelserv-tls 192.168.50.2 -l 2
 1649 asus2111  2956 S    wred -B
 1650 asus2111  2956 S    wred -B
 1651 asus2111  2956 S    wred -B
 1741 asus2111  7740 S    bwdpi_wred_alive
 1774 asus2111  2956 S    wred -B
 1776 asus2111  2956 S    wred -B
 1777 asus2111  2956 S    wred -B
 1778 asus2111  2956 S    wred -B
 1779 asus2111  2956 S    wred -B
 1780 asus2111  2956 S    wred -B
 1781 asus2111  2956 S    wred -B
 1782 asus2111  2956 S    wred -B
 1872 asus2111  7764 S    amas_lib
 1886 asus2111  1428 S    /sbin/udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp
 5585 asus2111     0 SW   [flush-mtd-unmap]
 6140 asus2111  1412 S    /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 7
 6149 asus2111  1416 S    /sbin/klogd -c 5
 6155 asus2111  1148 S    dropbear -p 192.168.50.1:22 -s -j -k
 7518 asus2111  1176 S    dropbear -p 192.168.50.1:22 -s -j -k
 7823 asus2111  1424 S    -sh
 8176 nobody   44900 S    dnsmasq --log-async
 8177 asus2111  1256 S    dnsmasq --log-async
 8931 asus2111  1408 S    sleep 10
 8932 asus2111  1176 R    dropbear -p 192.168.50.1:22 -s -j -k
 8933 asus2111  1428 S    -sh
 8940 asus2111  7764 S    amas_lib
 8941 asus2111  1416 R    ps

Code: 
@RT-AC66U_B1-8B00:/tmp/home/root# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 12699 packets, 1175K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3009  202K VSERVER    all  --  *      *       0.0.0.0/0            **.**.168.**(wan IP)
  967 62059 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:192.168.50.1
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:192.168.50.1

Chain INPUT (policy ACCEPT 1988 packets, 112K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 771 packets, 182K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 770 packets, 182K bytes)
 pkts bytes target     prot opt in     out     source               destination
 9231 1109K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
 8889  930K MASQUERADE  all  --  *      eth0   !**.**.168.**(wan IP)0.0.0.0/0
    1   328 MASQUERADE  all  --  *      br0     192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3009  202K VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

I see VUPNP & VSERVER there, is that safe? The router is the only device on the network currently acting strange; it was persisting in these activities after rebooting, it then locked me out for a while, giving "permission denied" via putty & tls browser connection (am using the latest 384.10 test 2. I'm still receiving incoming ICMP.
Click to expand...
Have you attempted a factory reset at all to see if that helps.
 
I will consider doing this, after changing the password everything seems to be functioning fine so far, I don't see anything malicious going on anymore, these packets dont seem to be dangerous; and I like to dig a round a bit to see what may have been done.
 
dugaduga said:
I will consider doing this, after changing the password everything seems to be functioning fine so far, I don't see anything malicious going on anymore, these packets dont seem to be dangerous; and I like to dig a round a bit to see what may have been done.
Click to expand...
I'm terribly sorry to hear that, if only I lived near by I'd do it for you if you wanted me to.
 
<sigh>

Merlin's answer was in response to your question about the "Respond ICMP Echo (ping) Request from WAN" option.

Your Wireshark log isn't showing "ping" responses, it's showing "Destination port unreachable" messages. These are standard routing messages generated in response to packets you sent out. In your case it means that the IP's in question had advertised themselves as BitTorrent sources but could not be connected to when your BitTorrent client tried to do so. So nothing unusual.
 
@Vexira omg how kind & humbling you are, thank you for making my day. @ColinTaylor thank you very much Colin; I was confused for there was no differentiation between the ~10 kinds of ICMP messages. Thanks for clarifying.
 
You must log in or register to reply here.

Similar threads

B
Firewall lan - vpn?
Replies
0
Views
275
blast
B
Nick B
Allowing Incoming WAN Connections for WireGuard Client Listed in Director
Replies
7
Views
1K
arkywein
A
S
Problems accessing home network from external networks.
Replies
8
Views
764
Shaggy1
S
M
IPv6 and Router Advertisement adding route to delegated /56 via WAN interface
Replies
0
Views
218
MrC99
M
R
One router, two segments desired.
Replies
4
Views
391
Rombo
R
Similar threads
Thread starter Title Forum Replies Date
mattyboolin AT-RX58U Large amount of blocked incoming connections Asuswrt-Merlin 6
macster2075 Solved Help blocking incoming traffic Asuswrt-Merlin 23
DanielCoffey [AX86U] Half audio on incoming VoIP SIP calls, NAT mismatch? Asuswrt-Merlin 27

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 838 (members: 24, guests: 814)
Top