Router[Cable Connection] -> ICMP[ARP] -> DoS + Possible Leaked ICMP

I have a Belkin Router connected to my cable connection.

Its Firewall is forever blocking ARP ICMP packets from the server I am connected to, either when I have the block WAN ICMP on or off, I know this behavior is exspected, but it is correct that I should be blocking all these ARP ?

Also my server (well its a winxp box) has logged 2 (from same source) ICMP connections that the firewall has let through, it has 2 ports open for emule, is that someone targetting those ports specifically, eg port scan, or is it misrouted ?

It is the first time I have ever encountered this, my server is currently NOT running any software firewall, im thinking of installing one so I can have tight rules for the open ports, but leave everything else open (its a LAN file server and web developement server as well). Will the built in XP SP2 firewall be ok for this, or should I look at a Kerio 2-like firewall ?

 

Do you have some log entries you could post to provide some more detail?

It may, what exactly do you want to accomplish in terms of filtering/rules?

Regards,

CrazyM

 

I can save some logs, but they are not very detailed :|
I have found out most people block ICMP (inc ARP) and not had a problem with their service, so I will continue to do the same.

It appears that when emule fires up, there is a moment of leaked ICMP traffic through my router (from my ISP as is a WAN IP address), which gets logged, this is repeatable.

I wonder if this is a feature/bug of port forwarding on my router ?

But that is the ONLY time it happens.

As far as firewall rules go, I would want to on that states only emule can use the 2 ports (matching the routers open ports) and only accept TCP and UDP on the correct ports, deny anything else from the internet.

Then have a LAN rule that allows any local IP address access.

 

For eMule, do you have any ports forwarded in your router for incoming traffic?

 

Yes I have 2 ports forwarded.

 

I wouldn't worry about ICMP, if you are on XP, I would suggest using UPnP if your eMule client supports that, I use Azureus under 2K with UPnP enabled, that way, when Azureus is not in use, nothing is left open,I know many say that UPnP is dangerous but then so is leaving ports open permanently.

 

Would be little point in UPnP, as this machine runs emule 24/7 anyhow.

I've monitored for a few days and the only time ICMP will come through is when emule is firing up, as it runs most of the time it is little issue.

 

Unless I am misunderstanding you, it sounds as everything is functioning as expected.

First, ARP is not the same as ICMP nor is it a subset of functionality of ICMP. ARP is distinctly different from ICMP and, in fact, is essentially non-routable in nature because of its purpose in converting IP addressing (Network Layer or "Layer 3") into MAC addressing (Data Link Layaer or "Layer 2"). I can't really conceive of a situation of ARP "leaking" through a firewall or router since the host will send out a broadcast ARP request for the default gateway if it knows that the destination is not on it's subnet (via the subnet mask). Likewise the default router will broadcast an ARP request on the local subnet when it needs to know the destination host's MAC address and it doesn't have it in it's cache. There are attacks involving ARP (ARP poisoning, man-in-the-middle, etc.), but as far as I know in each one the attacker has to be sitting on the same subnet as the victim.

ICMP on the other hand works at the Network Layer or Layer 3 and is most typified by Echo requests and Echo replies. It is likely that when eMule fires up, it validates some destination by performing an ICMP Echo Request. Your Belkin router is likely not necessarily a fully protocol configurable firewall but rather a NAT router which essentially performs "firewalling" as a side effect. Either way it is reasonable for the ICMP Echo Replies to be returned through the firewall / router and back to the host. Most "firewalls" and especially NAT routers are configured by default to allow returning traffic from conversations originated from inside the firewall, and this is reasonable since it would be confusing and disconcerting for most to worry about configuring outbound traffic policies as well (although security professionals really need to focus on this as well). The way NAT (technically NAPT) works in this case is that it takes the ICMP Echo request from your host, modifies the source IP address from the priviate internal host address to the public external router IP address, and then also modifies the Identifier field of the Echo request so that the router "knows" how to associate replies with requests. When the returning ICMP Echo Reply arrives at the public external router IP address, the router examines the Identifier field and if it recognizes it, then it "knows" how and where to route the reply on the internal network.

 

Alec, cheers for the details, I know that ARP is different to ICMP, they are seperate issues though.

Issue with ARP is the huge amount traffic causing my router to block the traffic it things im being DoS attacked... just my router is stupid enough to log the attack as ICMP, even though a packet sniffer shows it to be ARP traffic.

On the ICMP leaking through, what you say makes sense, its just odd that its a reply from a WAN address, not internet, maybe my isp is blocking these ICMP packets ?

BTW, my router has NAT, an SPI firewall (blocks common attacks like DoS) and an option to allow/block ICMP, all which can be turned on/off individually.

 

It sounds more like your router is having problems dealing with the influx of traffic that normally results from connecting to a file-sharing network. ARP traffic should only occur within LANs so you should only see large amounts if you are connected via a cable-based ISP (who have their networks set up as large LANs).

A WAN (Wide Area Network) address will be part of the Internet as far as your router is concerned and ICMP traffic is normal - as for it "leaking", well there are different types of ICMP messages and a leak can only be said to be occuring if a specific type is allowed through even if you have blocked it. However, I would echo CrazyM's request for log entries - without more detail it is really a waste of time speculating as to what your problem may be.

 

Im on Blueyonder, and even when emule is not running, I get the same amount of traffic.

Yes well my routers logs are rather lame.

protection 10.153.128.1 Sat Dec 17 13:16:11 2005 1 Blocked by DoS protection 10.153.128.1 Sat Dec 17 13:16:13 2005 1 Blocked by DoS

Will dig out my etherreal logs when I have time (I cant remember where I saved them).

Cheers for the input everyone, but it does'nt seem theres any real worry.

 

Well those log entries certainly do not shed much light on what is going on. Hopefully you can find the Ethereal information.

Regards,

CrazyM