Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Intrusion Prevention Alert ICMP

Posted on 2007-11-21
9
Medium Priority
?
2,925 Views
Last Modified: 2012-06-22
I have a few campuses logging the following alert on their sonicwall firewall:

11/19/2007 22:43:21.384 - Alert - Intrusion Prevention -    IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -   64.154.19.23, 53, WAN -     192.168.21.203, 1036, LAN, domaincontroller.ourdomain.com

I cannot find any information on this destination IP 64.154.19.23, except that its owned by Level3??  No reverse pointer, A, MX, NS or other DNS entry??

Each campus logging this alert to this IP is having it originate from their DC (Server 2003).  All just started since Monday this week.  Anyone have some data on what this IP device is?  Or why this is coming from our DCs?  All our DCs are setup to forward DNS requests to our ISPs.

Thanks,
0
Comment
Question by:quinnwyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329136
Do you run DNS on the DC's?
0
 
LVL 12

Accepted Solution

by:
bhnmi earned 1200 total points
ID: 20329144
They are DNS packets I am sure I have similar entries in my logs as well.
0
 

Author Comment

by:quinnwyo
ID: 20329406
Yes DNS on the DCs, but I have forwarders setup on them pointing to our ISPs DNS.  I assume the only traffic from my DCs, destined for an external IP would be to our ISPs DNS - two entries.  If the forwarders do not respond/resolve the domain name requested, the request should die and stop looking any further, correct??
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:quinnwyo
ID: 20329419
Each campus uses a different ISP BTW.  Strange how these alerts are showing up as destined to the same IP??
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329479
Might be top level server at level 3.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329490
This is what I get all the time

1/21/2007 09:29:59.096 -       IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -       66.45.254.244, 53, WAN -       192.168.1.19, 1058, LAN, server.mydomain.local -
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329496
:P the data is today I cut off a 1.
0
 

Author Comment

by:quinnwyo
ID: 20329616
Not a big deal but one of my campuses was getting this alert like 300 times in a 48 hour window.
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 800 total points
ID: 20330280
Sometimes I find that SonicWALLs tend to log a lot of pretty benign stuff as alerts... IMHO this is one of those cases. I turn off IPS detection for SID 310... you can decide whether that works for you or not, and whether to leave prevention enabled or not.

Most of our sites have site-site VPNs and we constantly get these alerts even over VPN traffic, so I actually tend to disable detection & prevention. Note that this doesn't mean that your firewall will start respoding to pings from the internet!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question