ICMP Type 8 Echo Request packet security concerns

S

Scott Holmes

Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?

For some reason, I periodically get wierd Internet Control Message Protocol
(ICMP) Type 8 requests on WinXP such as:

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to
[202.232.221.175].
Do you want to allow this program to access the network?

I have no idea what these requests are for.

When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
I find these IP addresses are not registered. Wierd. Then why are they
sending me an ICMP Type 8 (whatever that is) requests?

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

I looked up RFC 792 which describes ICMP, but I did not understand it as I
am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
know is this thing called ICMP has a code field and a type field. A type 8
is an "Echo". I have a D-Link wireless router so I wonder why it didn't
stop this ping of death from reaching my 192.168.0.1 machine.

One of the articles I looked up suggested "netstat -an" but that didn't
show anything listening of that IP address.

What is an ICMP Type 8 echo request?
Whom do these IP addresses belong to?
Should I allow these ICMP Type 8 echo requests or should I deny them?
 
W

Walter Roberson

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
[202.232.221.175].

When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
I find these IP addresses are not registered.

202.232.221.175 is registered to Toshiba.

202.232.13.185 is registered to IIJ Internet, which happens to
bhe the ISP providing DNS service for the Toshiba block immediately
above.

Do you have some Toshiba related equipment? Possibly including
some software that might be periodically checking for updated
drivers or updated software utilities?
 
R

Roger Abell [MVP]

Keep in mind that a number of firewall products only report the
last process in the chain that causes the communication attempt.
That this is part of the OS is because that is the "owner" of the
hardware, in this case the networking interfaces. This superficial
reporting by these products does not help one understand that it
is something running that has asked the OS to do this, very often
third-party software.
 
I

Imhotep

Scott said:
Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?

For some reason, I periodically get wierd Internet Control Message
Protocol (ICMP) Type 8 requests on WinXP such as:

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to
[202.232.13.185]. Do you want to allow this program to access the network?

NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to
[202.232.221.175].
Do you want to allow this program to access the network?

I have no idea what these requests are for.

When I do a reverse dns look up at http://www.zoneedit.com/lookup.html
I find these IP addresses are not registered. Wierd. Then why are they
sending me an ICMP Type 8 (whatever that is) requests?

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

I looked up RFC 792 which describes ICMP, but I did not understand it as I
am not a techie (http://www.iana.org/assignments/icmp-parameters ). All I
know is this thing called ICMP has a code field and a type field. A type 8
is an "Echo". I have a D-Link wireless router so I wonder why it didn't
stop this ping of death from reaching my 192.168.0.1 machine.

One of the articles I looked up suggested "netstat -an" but that didn't
show anything listening of that IP address.

What is an ICMP Type 8 echo request?
Whom do these IP addresses belong to?
Should I allow these ICMP Type 8 echo requests or should I deny them?


ICMP echo type 8 is "ping" or more technically speaking it is the first part
of a "ping" ie the icmp echo request and the pc being pinged sends an icmp
echo reply.

The IP address goes back to Japan. It sounds like you have some kind of
"dial home" software or worse.....

Good luck,
Imhotep
 
J

jameshanley39

Scott said:
Should I allow my WinXP Sygate Firwall to allow ICMP Type 8 echo requests?


yes, it's fine, there's no risk. There might be a risk to them if you
were trying to attack them! But there isn't mcuh tyou can do with ping
alone.

open a command prompt and type
C:\WINDOWS> ping www.google.com <ENTER>

now you'll be sending ICMP messages to www.google.com and those
messagea will ave been generated by the ping program.


For some reason, I periodically get wierd Internet Control Message Protocol
(ICMP) Type 8 requests on WinXP such as:

You'll gets lots and lots of different outgoing things. ICMP
messages(like you described), And outgoing TCP connections (e.g.
connecting to a computer at port 80)

For ICMP you needn't worry. They carry no data, only codes.
Mostly you needn't worry. If a process is sending packets or messages
out, then you see if it's a windows process, in which case it's
probably fine - nuless it has been compromised. And if it's not a
windows process and it bothers you, then google and i'm sure you'll
find out soon enough if it's spyware. sending harmless advertising data
out.

Either way, it's not big deal. If your computer is slowing down then
you have spyware. Outgoign connections that your firewal warns you
about are - at worst - spyware. But most of the outgoing traffic is
legitimate. Hence you should allow windows processes and hyour browser
and other trusted programs to send whatever they want outwards.
NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?

a)a windows process - so it you should really trusted unless you have
reason no to i.e. unless you think it has been compromised
b)it's sending something outwards, not even any personal data in an
ICMP.

It's just a emssage to test if a remote computer on the internet is up
and running
NT Kernel System (ntoskrnl.exe)
is trying to send an ICMP Type 8 (Echo Request) packet to
[202.232.221.175].
Do you want to allow this program to access the network?

I have no idea what these requests are for.

so you should google around and as soon as you don't see "SPYWARE
SPYWARE" all over the place in the results, you assume it's fine.


One of the articles I looked up suggested "netstat -an" but that didn't
show anything listening of that IP address.

that only applies to UDP and TCP. They show servers listening.

ICMP works at a lower level. It isn't displayed by netstat, doesn't use
ports, doesn't use listening servers

What is an ICMP Type 8 echo request?

a message intended to reach a host and requesting that the host reply
to say it is online

it's a free country. you can send ICMP messages yourself. ping command.
Whom do these IP addresses belong to?

somebody posted toshiba and an isp or something, so maybe you did the
lookup wrong.
Should I allow these ICMP Type 8 echo requests or should I deny them?

allow. Otherwise the legitimate trusted processes trying to send them
will not know what's going on, and may not continue to do what they
were intended to do, and what they were intended to do is most probably
for your benefit.
 
J

jameshanley39

<snip>

and really. as people have said before. You shouldn't block outgoing.
You would only monitor outgoing if you are technically interested, but
even then, it's a nuisance to have popups hassling you while you're
trying to use your computer. There'll be loads of outgoing messages
coming up, you dont' want popups interrupting you all the time. Just
Allow the process NTKernel.exe or whatever it is called, so it won't
ask you next time.

The windows firewall is ok too. I particularly like Sygate's port
logger, but Sygate has a few security issues mentioned in prev threads.
And of course the windows firewall is going to be a bit of a target.
But I think either of them are fine as a PFW - i.e. for those that use
PFWs. IF you want more security you probably have to go more technical
(linux firewall) or more expensive(checkpoint or watchguard firewall).
If it's any consolation, I am stuck with a PFW.
 
J

jameshanley39

Roger said:
Keep in mind that a number of firewall products only report the
last process in the chain that causes the communication attempt.
That this is part of the OS is because that is the "owner" of the
hardware, in this case the networking interfaces. This superficial
reporting by these products does not help one understand that it
is something running that has asked the OS to do this, very often
third-party software.

what would show the full chain? something like sysinternals 'process
explorer'? or any particular software firewall?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top