Jump to content

Constant ICMP Protocol Blocks

Recommended Posts

I've been getting a substantial amount of hidden ICMP channels (and a little bit of SMB) that are being blocked. I'm assuming there might be some malware that is hidden within my machine. What it is and where to find it is the question.





Link to comment
Share on other sites

  • Administrators

I assume you must have enabled the detection of covert channel in ICMP. By default it's disabled since also legitimate application may utilize ICMP for non-standard communication. Moreover, this detection will be removed from the product some time later.

Link to comment
Share on other sites

As far as the SMB log entries shown, that is controlled by Eset Network Protection -> IDS -> Advanced options -> Packet Inspection -> Deny SMB sessions without extended security setting. Per Eset online help:


Deny SMB sessions without extended security – Extended security can be used during the SMB session negotiation in order to provide a more secure authentication mechanism than LAN Manager Challenge/Response (LM) authentication. The LM scheme is considered weak and is not recommended for use. 

The setting controlling ICMP Hidden Channel detection is also located under Packet Inspection settings and is named "Covert data in ICMP protocol detection." The thing that is odd is the majority of the source IP address are coming from 10.8.x.x addresses. That IP address range is associated with NAC RADB TESTING; ref.: http://www.irr.net/docs/faq.html and appears to be associated with the testing of peer-to-peer Internet routing connections.  If you are using a VPN, I would ask them why these connections are showing up on your router. Additional ref. here: https://www.apnic.net/about-apnic/whois_search/about/what-is-in-whois/irr/

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...