Curious about strange ICMP type 3 code 10 traffic to my IP address

linux iptables firewall icmp

8,914

ICMP type 3 code 10

This implies it's a response to you from another firewall. If I have an iptables rule that ends with:

REJECT --reject-with icmp-net-prohibited

and a request from you is covered by this rule, you will receive a code 10 type 3 ICMP packet to inform you the port is unreachable by you. This is considered the correct response, as opposed to DROP, which sends no response and hence will tend to generate more traffic to the "unreachable" address to solve the mystery.¹

If this is the case, you should figure out why this is being rejected by your firewall and correct the rules, because it will cause applications to hang unnecessarily. Possibly you have something too early in the list, or no proper RELATED, ESTABLISHED rule.

Is this some sort of ICMP policy, to trick (My IP address) into transmitting something to (Foreign IP address), assuming I did not drop the traffic by default?

Unlikely, since there's no reply expected.

^{1. Using DROP as a security by obscurity mechanism on a public server is completely pointless since all a legitimate attacker must do is a port scan; one of them has to respond to something or else it isn't a public server. Further, it generates unnecessary additional traffic and problems for systems that aren't bogey men (i.e., most of them). If you want to deny access, just say you are denying access. You should only use DROP with traffic you are aware of but wish to ignore, such as broadcast packets from local systems.}

8,914

KimN

Updated on September 18, 2022

Comments

KimN over 1 year

My firewall (iptables) logs some strange ICMP type 3 code 10 traffic that I am curious to understand (specifically how or if this could be an exploit of some sort).

Type 3 = Destination Unreachable
Code 10 = Communication with Destination Host is Administratively Prohibited).

The logged traffic (4-6 packets a few seconds apart, once a day for the last months):

IN=eth0 OUT= MAC=(eth0 MAC) SRC=(Foreign IP address) DST=(My IP address) LEN=72 TOS=0x00 PREC=0x00 TTL=50 ID=35145 PROTO=ICMP TYPE=3 CODE=10 [SRC=(My IP address) DST=(Foreign IP address) LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=25 DPT=53454 WINDOW=28200 RES=0x00 ACK SYN URGP=0]

All logs indicate that (Foreign IP address) only transmits the above ICMP packet.
No other traffic from (Foreign IP address) is recorded in the same time period (see update below).
By default, the system logs and drops any traffic originating from the country of (Foreign IP address).

Could this be an exploit, perhaps to trick (My IP address) into transmitting something to (Foreign IP address), assuming I did not drop the traffic by default?

Any insights are welcome.

Update: The logs show that (Foreign IP address) consistently connects to port 80 and 443 prior to the ICMP packets (9 and 7 hours before the ICMP packets, respectively). Both attempts dropped by the default firewall policy.
According to Network-Tools.com the origin of (Foreign IP address) is China(CN) in region Southern and Eastern Asia, and no host name is associated with the IP address.
KimN almost 10 years

To the best of my knowledge, my system does not send any traffic to (Foreign IP address). That makes the received ICMP packet look very suspicious since (Foreign IP address) should have no reason to send (My IP address) a type 3 code 10 ICMP packet and hence my curiosity. Could it be a fingerprinting or spoofing technique (maybe some systems respond to the ICMP packet)? Thanks for the hint about DROP vs REJECT. I will look into it and adjust my firewall setup accordingly (it seems there are many opinions about this subject).
goldilocks almost 10 years

I would investigate the address then; if at the very least you can get a domain name, you can try letting them know via postmaster@domain. Not that I'd expect a response, but OTOH it seems a very odd thing to do except by accident...unless it's so rapid it represents a DoS type of attack.
KimN almost 10 years

I have updated my original post with details of the (Foreign IP address). I also updated the question to address if this could be an exploit or not.
Preston over 2 years

Drop should absolutely be used in this case and in nearly all cases. Returning ICMP implies that the address is routable and can be found here as well as causes your host to waste time generating unnecessary outboud traffic which can easily be abused in DoS amplification attack. You'll find no major firewall provider would ever recommend sending ICMP rejects of any kind in response to untrusted traffic.
goldilocks over 2 years

The consensus around here is somewhat different: [1] -- [2] WRT "causes your host to waste time generating unnecessary outboud traffic" -> In the more common case (someone who stops when the port is closed) using drop will cause the remote to repeatedly send the request to rule out network issues, generating pointless unnecessary traffic and placing additional load on the server under normal conditions.
goldilocks over 2 years

"easily be abused in DoS amplification attack" -> DoS attacks are not stealthy, and don't represent problems unless they are noticable; responding to one may involve changing firewall and other tactics temporarily, pretending you are always in the midst of a DoS attack is pointless.