Solved

Intrusion Prevention Alert ICMP

Posted on 2007-11-21
9
2,733 Views
Last Modified: 2012-06-22
I have a few campuses logging the following alert on their sonicwall firewall:

11/19/2007 22:43:21.384 - Alert - Intrusion Prevention -    IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -   64.154.19.23, 53, WAN -     192.168.21.203, 1036, LAN, domaincontroller.ourdomain.com

I cannot find any information on this destination IP 64.154.19.23, except that its owned by Level3??  No reverse pointer, A, MX, NS or other DNS entry??

Each campus logging this alert to this IP is having it originate from their DC (Server 2003).  All just started since Monday this week.  Anyone have some data on what this IP device is?  Or why this is coming from our DCs?  All our DCs are setup to forward DNS requests to our ISPs.

Thanks,
0
Comment
Question by:quinnwyo
  • 5
  • 3
9 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329136
Do you run DNS on the DC's?
0
 
LVL 12

Accepted Solution

by:
bhnmi earned 300 total points
ID: 20329144
They are DNS packets I am sure I have similar entries in my logs as well.
0
 

Author Comment

by:quinnwyo
ID: 20329406
Yes DNS on the DCs, but I have forwarders setup on them pointing to our ISPs DNS.  I assume the only traffic from my DCs, destined for an external IP would be to our ISPs DNS - two entries.  If the forwarders do not respond/resolve the domain name requested, the request should die and stop looking any further, correct??
0
 

Author Comment

by:quinnwyo
ID: 20329419
Each campus uses a different ISP BTW.  Strange how these alerts are showing up as destined to the same IP??
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 12

Expert Comment

by:bhnmi
ID: 20329479
Might be top level server at level 3.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329490
This is what I get all the time

1/21/2007 09:29:59.096 -       IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -       66.45.254.244, 53, WAN -       192.168.1.19, 1058, LAN, server.mydomain.local -
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329496
:P the data is today I cut off a 1.
0
 

Author Comment

by:quinnwyo
ID: 20329616
Not a big deal but one of my campuses was getting this alert like 300 times in a 48 hour window.
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 200 total points
ID: 20330280
Sometimes I find that SonicWALLs tend to log a lot of pretty benign stuff as alerts... IMHO this is one of those cases. I turn off IPS detection for SID 310... you can decide whether that works for you or not, and whether to leave prevention enabled or not.

Most of our sites have site-site VPNs and we constantly get these alerts even over VPN traffic, so I actually tend to disable detection & prevention. Note that this doesn't mean that your firewall will start respoding to pings from the internet!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now