Solved

Intrusion Prevention Alert ICMP

Posted on 2007-11-21
9
2,829 Views
Last Modified: 2012-06-22
I have a few campuses logging the following alert on their sonicwall firewall:

11/19/2007 22:43:21.384 - Alert - Intrusion Prevention -    IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -   64.154.19.23, 53, WAN -     192.168.21.203, 1036, LAN, domaincontroller.ourdomain.com

I cannot find any information on this destination IP 64.154.19.23, except that its owned by Level3??  No reverse pointer, A, MX, NS or other DNS entry??

Each campus logging this alert to this IP is having it originate from their DC (Server 2003).  All just started since Monday this week.  Anyone have some data on what this IP device is?  Or why this is coming from our DCs?  All our DCs are setup to forward DNS requests to our ISPs.

Thanks,
0
Comment
Question by:quinnwyo
  • 5
  • 3
9 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329136
Do you run DNS on the DC's?
0
 
LVL 12

Accepted Solution

by:
bhnmi earned 300 total points
ID: 20329144
They are DNS packets I am sure I have similar entries in my logs as well.
0
 

Author Comment

by:quinnwyo
ID: 20329406
Yes DNS on the DCs, but I have forwarders setup on them pointing to our ISPs DNS.  I assume the only traffic from my DCs, destined for an external IP would be to our ISPs DNS - two entries.  If the forwarders do not respond/resolve the domain name requested, the request should die and stop looking any further, correct??
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:quinnwyo
ID: 20329419
Each campus uses a different ISP BTW.  Strange how these alerts are showing up as destined to the same IP??
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329479
Might be top level server at level 3.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329490
This is what I get all the time

1/21/2007 09:29:59.096 -       IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -       66.45.254.244, 53, WAN -       192.168.1.19, 1058, LAN, server.mydomain.local -
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329496
:P the data is today I cut off a 1.
0
 

Author Comment

by:quinnwyo
ID: 20329616
Not a big deal but one of my campuses was getting this alert like 300 times in a 48 hour window.
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 200 total points
ID: 20330280
Sometimes I find that SonicWALLs tend to log a lot of pretty benign stuff as alerts... IMHO this is one of those cases. I turn off IPS detection for SID 310... you can decide whether that works for you or not, and whether to leave prevention enabled or not.

Most of our sites have site-site VPNs and we constantly get these alerts even over VPN traffic, so I actually tend to disable detection & prevention. Note that this doesn't mean that your firewall will start respoding to pings from the internet!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question