?
Solved

Intrusion Prevention Alert ICMP

Posted on 2007-11-21
9
Medium Priority
?
2,888 Views
Last Modified: 2012-06-22
I have a few campuses logging the following alert on their sonicwall firewall:

11/19/2007 22:43:21.384 - Alert - Intrusion Prevention -    IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -   64.154.19.23, 53, WAN -     192.168.21.203, 1036, LAN, domaincontroller.ourdomain.com

I cannot find any information on this destination IP 64.154.19.23, except that its owned by Level3??  No reverse pointer, A, MX, NS or other DNS entry??

Each campus logging this alert to this IP is having it originate from their DC (Server 2003).  All just started since Monday this week.  Anyone have some data on what this IP device is?  Or why this is coming from our DCs?  All our DCs are setup to forward DNS requests to our ISPs.

Thanks,
0
Comment
Question by:quinnwyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329136
Do you run DNS on the DC's?
0
 
LVL 12

Accepted Solution

by:
bhnmi earned 1200 total points
ID: 20329144
They are DNS packets I am sure I have similar entries in my logs as well.
0
 

Author Comment

by:quinnwyo
ID: 20329406
Yes DNS on the DCs, but I have forwarders setup on them pointing to our ISPs DNS.  I assume the only traffic from my DCs, destined for an external IP would be to our ISPs DNS - two entries.  If the forwarders do not respond/resolve the domain name requested, the request should die and stop looking any further, correct??
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:quinnwyo
ID: 20329419
Each campus uses a different ISP BTW.  Strange how these alerts are showing up as destined to the same IP??
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329479
Might be top level server at level 3.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329490
This is what I get all the time

1/21/2007 09:29:59.096 -       IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -       66.45.254.244, 53, WAN -       192.168.1.19, 1058, LAN, server.mydomain.local -
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329496
:P the data is today I cut off a 1.
0
 

Author Comment

by:quinnwyo
ID: 20329616
Not a big deal but one of my campuses was getting this alert like 300 times in a 48 hour window.
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 800 total points
ID: 20330280
Sometimes I find that SonicWALLs tend to log a lot of pretty benign stuff as alerts... IMHO this is one of those cases. I turn off IPS detection for SID 310... you can decide whether that works for you or not, and whether to leave prevention enabled or not.

Most of our sites have site-site VPNs and we constantly get these alerts even over VPN traffic, so I actually tend to disable detection & prevention. Note that this doesn't mean that your firewall will start respoding to pings from the internet!
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month12 days, 17 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question