Trying to understand fake ICMP packet

astrogeek · 04-27-2015, 02:09 AM

I am fairly new to running web services on a VPS but have set up three in the past few months and so far so good.

I watch things very closely and have become fairly confident in my ability to understand my traffic and logs.

Most bots, probes and other anal traffic I recognize and manage as well as can be. But I have begun to see an ICMP packet that I do not understand and have not been able to find much help with through searches. I do not see them with great frequency, but I do see them on all my VPS web interfaces.

It is an ICMP "reply" to a non-existent DNS query as far as I can tell:

Code:

01:27:44.099006 IP (tos 0x0, ttl 47, id 2472, offset 0, flags [none], proto ICMP (1), length 90)
    oo.oo.oo.oo > xx.xx.xx.xx: ICMP oo.oo.oo.oo udp port 53 unreachable, length 70
        IP (tos 0x0, ttl 241, id 26233, offset 0, flags [DF], proto UDP (17), length 62)
    xx.xx.xx.xx.53719 > oo.oo.oo.oo.53: [udp sum ok] 26233+ A? abcdefghij.lm.no. (34)
        0x0000:  4500 005a 09a8 0000 2f01 4e19 6efe 1e45  E..Z..../.N.n..E
        0x0010:  2d38 7967 0303 311b 0000 0000 4500 003e  -8yg..1.....E..>
        0x0020:  6679 4000 f111 ef52 2d38 7967 6efe 1e45  fy@....R-8ygn..E
        0x0030:  d1d7 0035 002a 831f 6679 0100 0001 0000  ...5.*..fy......
        0x0040:  0000 0000 0--- ---- ---- ---- ---- ----  .....abcdefghij.
        0x0050:  ---- ---- --00 0001 0001                 lm.no.....

oo.oo.oo.oo = Src IP
xx.xx.xx.xx = VPS IP
abcdef...no = Likely identifying string, redacted here

My first guess is that it is some reconnaisance probe such as discussed here, but if so I do not see how it would work as it would elicit no response as far as I know.

The other likely possibility I can see is that someone is spoofing my IP as the source when probing other sites, so I receive the response. But that does not benefit the actual sender and is poor as a DDOS attack as far as I can see.

Am I missing something? Or can someone add to, or correct my understanding of these packets, please.

Skaperen · 04-27-2015, 05:57 AM

it looks to me like DNS is being blocked. the VPS provider probably requires that your VPS instance use their DNS caching server for lookups instead of recursing it yourself.

astrogeek · 04-27-2015, 11:47 AM

Thanks for the reply.

I am using their DNS.

The problem is that there was no outgoing DNS request from my VPS interface to result in the ICMP response. In other words, all I ever see is the "response" which makes me think that my address is being spoofed in a DNS request sent from somewhere else.

astrogeek · 04-27-2015, 12:14 PM

Just to be sure that I was not unintentionally filtering some originating DNS request, I have been running a capture of everything except my own ssh session and just saw this one...

Code:

10:58:59.541656 IP (tos 0x0, ttl 48, id 184, offset 0, flags [none], proto ICMP (1), length 86)
    oo.oo.oo.oo > xx.xx.xx.xx: ICMP oo.oo.oo.oo udp port 11326 unreachable, length 66
        IP (tos 0x0, ttl 243, id 17, offset 0, flags [none], proto UDP (17), length 58)
    xx.xx.xx.xx.50994 > oo.oo.oo.oo.11326: [udp sum ok] UDP, length 30
        0x0000:  4500 0056 00b8 0000 3001 6bb6 6ff8 4102  E..V....0.k.o.A.
        0x0010:  2d38 4007 0303 1b6e 0000 0000 4500

oo.oo.oo.oo = Src IP
xx.xx.xx.xx = VPS IP

So it is not only in "response" to DNS requests, but more like port scanning.

But there is no "originating" outgoing packet corresponding to this ICMP response.

wpeckham · 04-28-2015, 08:32 PM

Just so you know:
1. some ISPs scan their network. Comcast does this in my area.
2. some breakers (media calls them 'hackers' because they are ignorant of the true meaning) also do this. If they are discovered, the ISP may block them. (Do not count on that, many ISP do not care as long as the check clears the bank.)

I routinely block such, and run services on non-standard ports. It helps, somewhat.

This may, or may not, apply to your situation.