ICMP flood Attack

[tennisfan7000 0]

Hi, since last week a laptop in our house has been getting an ICMP flood attack message from eset. It comes up every few mins sometimes every few seconds. The ip address of the attack is our router. I have searched online and found a few other people with the same or similar problems, but not really found any solution.

Not really sure what to do to get rid of these messages and how big the problem is?

I have run eset scans and found no threats, I have also run a eset scan on our router and again no threats found.

These problems seemed to start after updating eset via product update. I should also mention that the laptop is running windows 10.

I am quite anxious that someone is trying to attack the laptop or attack our netowrk and router

Thanks

Edited June 6, 2017 by tennisfan7000

[Marcos 5,074]

You can exclude your router's IP address from ICMP flood attack detection.

[tennisfan7000 0]

14 minutes ago, Marcos said:

You can exclude your router's IP address from ICMP flood attack detection.

Thanks for the reply. That's good to know, how can I get the threat message to stop showing up?

[AxW 0]

I too am having this issue since I upgraded the ESET software (Marcos I PM'd you about it). There does not seem to be any actionable details associated with this warning. What tools are available to interrogate my LAN. The ESET check network function reports back nothing being out of sorts.

[gareth 1]

You can add an IDS exception as per https://help.eset.com/ess/10/en-US/index.html?idh_dialog_epfw_ids_exception.htm or, to make life easier - "You can add IDS exceptions from the notification window when attack is detected by clicking on link More info / Create exception."
It is likely to be malformed packets from the router.

[something1965 0]

Go into the Admin page and check the logs of your Router to see what is trying to communicate.

Pay attention to the same item time after time.

[itman 1,659]

Eset has a default ICMP i.e. ICMPv4 firewall rule that allows all incoming ICMP traffic from the Trusted Zone plus all Local Addresses. If you are using the Public firewall profile, there is no Trusted Zone by definition.

If the above stated IDS exception does not stop the flood alert, you can always create an Eset firewall rule to allow incoming ICMP echo request traffic from your router's IP address. Before you do this, you should verify with your ISP that it is the source of these incoming echo requests. Some ISP's periodically "ping" the customer's PC to validate that connectivity has been established.

Edited June 7, 2017 by itman

[AxW 0]

I have reviewed the verizon router logs. nothing stands out. granted they do not provide much detailed depth.

According to the ESET logs the source is local 192.168.1.100 which happens to be the mysterious IP-STB1. Unmasking that and it is the verizon set top box. So the STB is trying to communicate with 192.168.1.2 which is this computer. ESET does not like it. Not sure why STB would even do that.

I find this perplexing. Is it possible that something malicious has landed on the STB or this is normal behavior?

 

[itman 1,659]

49 minutes ago, AxW said:

I find this perplexing. Is it possible that something malicious has landed on the STB or this is normal behavior?

No.

I have AT&T UVerse. Its inbound traffic enters the WAN side of the router via port 443(yeah - I love that one) but is only sent to the STB's. However if Verizon is also your ISP, it could be pinging your PC via the router for connectivity checking.

However, a SMART TV in SMART mode is using Wi-Fi to connect to the router. In fact, any SMART device could be trying to "discover" your PC. However, they don't use ICMP to do so.

-EDIT- What I believe Eset network mapping is showing is the Verizon DVR which is connected to the router via Ethernet; not the STB boxes themselves.

Edited June 7, 2017 by itman

[AxW 0]

Spent an hour with verizon. They can not help me. They did confirm that the STB shares the same IP as the router. ESET says there is an ICMP flood attack. It is in the log files BUT there is no detail. I have no idea as to how to proceed. The router does not keep low level logs and ESET does not tell me anything beyond warning will robinson. How do I identify the culprit/source?

Edit-LOG:

Time;Event;Source;Target;Protocol;Rule/worm name;Application;User
6/7/2017 9:52:26 AM;Detected ICMP Flooding attack;192.168.1.1;192.168.1.2;ICMP;;;
 

 

Edited June 7, 2017 by AxW

[itman 1,659]

15 minutes ago, AxW said:

How do I identify the culprit/source?

All Eset IDS can "see" is the internal network; not anything external to it. Again, the only thing you can do is review your router logs which I believe only by default show inbound traffic to the router.

Also by default the router's firewall should be configured to drop unsolicited ICMP echo requests. Go to this web site: https://www.grc.com/x/ne.dll?bh0bkyd2 and run their test. You will fail the test if your router is replying to ICMP echo requests. If that is the case, then you will have to manually configure you router's firewall not to allow them. Again if Verzion is the source, such configuration could render your TV network inoperable. If this is the case, your only solution is to create an IDS exception as noted previously -or- or create an ESET firewall rule as I suggested.

[tennisfan7000 0]

5 hours ago, something1965 said:

Go into the Admin page and check the logs of your Router to see what is trying to communicate.

Pay attention to the same item time after time.

The admin page of Eset or my router?

[itman 1,659]

I'll create a firewall rule for you that you can duplicate that will stop the Flood alerts. Before I do that, I need some info..

Is 192.168.1.1 your router and 192.168.1.2 your Verizon STB, WAP, or something associated with Verizon?

[AxW 0]

1 hour ago, itman said:

I'll create a firewall rule for you that you can duplicate that will stop the Flood alerts. Before I do that, I need some info..

Is 192.168.1.1 your router and 192.168.1.2 your Verizon STB, WAP, or something associated with Verizon?

1.1 is the verizon router

1.2 is my computer

 

I do not have a problem with the flood alerts per say. I am trying to do a root cause analysis but lack the tools for it in this environment.

[itman 1,659]

Let's back up a bit.

What Eset firewall profile are you using, Public or Private network?

[AxW 0]

46 minutes ago, itman said:

Let's back up a bit.

What Eset firewall profile are you using, Public or Private network?

Looks like . . no profile.

[something1965 0]

8 hours ago, tennisfan7000 said:

The admin page of Eset or my router?

Router.

I found my phone system was trying to communicate with my off site email server (to email me) every minute so I fixed my phone system.

Edited June 8, 2017 by something1965

[scgt1 1]

Not the only one with this problem as you have stated. I think this started with the last Eset update or maybe even the Creators Update for Win 10. I'm on AirVPN though so I only get the message when not connected through AirVPN which is at boot up as the Eddie program is loading. Once I connect through Air the stupid Eset window goes away and doesn't come back unless I disconnect from AirVPN in the Eddie client.

Having a new issue with Eset though in showing a red box with a 3 in it for Setup. It's showing my Firewall, IDS, Botnet are all red. If I click them it says are you sure you want to disable them. So they aren't off or are they?

[itman 1,659]

I just realized there are multiple people posting in this thread, so it is hard to keep straight who I am replying to:

@AxW 

You can find the network profile being used by accessing Network Protection -> Personal Firewall -> Known Networks. Then click on the "Edit" option as shown in the below screen shot. Exit that screen and the Eset GUI w/o changing anything:

[itman 1,659]

21 hours ago, tennisfan7000 said:

The admin page of Eset or my router?

Are you still having issues?

[Impress 0]

I think this is an ESET issue.  I've been having this same problem for a couple of weeks now.  It began before I installed the Creators Update for Windows 10.  My laptop seems to be the only one with the issue.  The other laptop with Eset installed doesn't appear to get any messages.  I've been to the GRC site and passed the test.   The IP address the "attacks" are coming from is the one for my router. 

[AxW 0]

@itman

[itman 1,659]

2 hours ago, AxW said:

@itman

You have only one "home" network I assume?

If you share files and devices with other PCs on your network, then delete/remove the entries for home - Public network and home (2) leaving only one "home - Home or office network." If you don't share files and devices with other PCs on your network, then keep "home - Public network" and delete/remove the other two home network entries.

Did you set up two Virtual networks?

Report back if Flood alerts persist after making the above changes.

[scgt1 1]

I wouldn't be so sure on the excluding the router from the icmp detection bit. I just checked my log for the heck of it and had these:

[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:56:15
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:56:00
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:55:50
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:54:31
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:54:21
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:53:57
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:52:25
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:52:11
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:52:01
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:51
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:37
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:25
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:10
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:50:57
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:50:25

[itman 1,659]

2 hours ago, scgt1 said:

I wouldn't be so sure on the excluding the router from the icmp detection bit. I just checked my log for the heck of it and had these:

[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:56:15
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:56:00
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:55:50
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:54:31
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:54:21
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:53:57
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:52:25
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:52:11
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:52:01
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:51
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:37
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:25
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:51:10
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:50:57
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is drop Thursday, Jun 08,2017 21:50:25

Agreed.

You need to examine the source of the echo requests which can on be done by examining the router's firewall log for like activity. If external flooding activity is occurring, it needs to be stopped by the router firewall.

Again, most router firewalls are configured to drop incoming ICMP echo requests by default. Of course, routers can be misconfigured or hacked.