Constant ICMP Protocol Blocks

[JuWaJo 0]

I've been getting a substantial amount of hidden ICMP channels (and a little bit of SMB) that are being blocked. I'm assuming there might be some malware that is hidden within my machine. What it is and where to find it is the question.

[Marcos 5,074]

I assume you must have enabled the detection of covert channel in ICMP. By default it's disabled since also legitimate application may utilize ICMP for non-standard communication. Moreover, this detection will be removed from the product some time later.

[itman 1,659]

As far as the SMB log entries shown, that is controlled by Eset Network Protection -> IDS -> Advanced options -> Packet Inspection -> Deny SMB sessions without extended security setting. Per Eset online help:

Quote

Deny SMB sessions without extended security – Extended security can be used during the SMB session negotiation in order to provide a more secure authentication mechanism than LAN Manager Challenge/Response (LM) authentication. The LM scheme is considered weak and is not recommended for use. 

The setting controlling ICMP Hidden Channel detection is also located under Packet Inspection settings and is named "Covert data in ICMP protocol detection." The thing that is odd is the majority of the source IP address are coming from 10.8.x.x addresses. That IP address range is associated with NAC RADB TESTING; ref.: http://www.irr.net/docs/faq.html and appears to be associated with the testing of peer-to-peer Internet routing connections.  If you are using a VPN, I would ask them why these connections are showing up on your router. Additional ref. here: https://www.apnic.net/about-apnic/whois_search/about/what-is-in-whois/irr/

Edited February 23, 2019 by itman