My computer is sending ICMP packets to arbitrary destinations
Solution 1
This is normal, and alone should not be reason for any worries. What happened is that the computer with IP 80.167.113.76 sent an UDP packet to your computer, to port 25660. You don't have anything running in your computer waiting for UDP packets in this port, then your computer sends this ICMP packet back to the origin telling that nothing was reached at the given port (ICMP Type=3 Code=3 → Port unreachable). The ICMP packet contains a copy of the headers of the packet originally sent (in the opposite direction).
If you are getting this information from a packet sniffer (looks like wireshark?), then look for an incoming UDP packet from that IP arriving before the packet you just copied in this question.
Certainly you are using an ISP which dynamically assigns IP addresses to users. Probably your current IP address was being used by someone running some P2P application, and your IP plus this port combination was cached on someone else's application, and then that one tried to connect back to the original user who was using this IP.
No need for worry, really. But if it bothers you, you may want to install a stateful firewall that simply DROPs packets for non-tracked sessions. Instead of sending a "Port Unreachable" message to the origin, the firewall simply drops the original packet since it will not be in its internal connection table.
Solution 2
A tool like TCPView should let you see which process is creating this packets. That should give you a better idea of their purpose.
http://technet.microsoft.com/en-us/sysinternals/bb897437
Related videos on Youtube
user58859
Updated on September 17, 2022Comments
-
user58859 over 1 year
My computer is sending ICMP packets to arbitrary destinations. I can't understand the reason. Dump of one of the packet is :
Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Checksum: 0x811b [correct] Internet Protocol, Src: 80.167.113.76 (80.167.113.76), Dst: 192.168.1.2 (192.168.1.2) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 131 Identification: 0x0631 (1585) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 111 Protocol: UDP (17) Header checksum: 0xc19b [correct] [Good: True] [Bad: False] Source: 80.167.113.76 (80.167.113.76) Destination: 192.168.1.2 (192.168.1.2) User Datagram Protocol, Src Port: 61846 (61846), Dst Port: 25660 (25660) Source port: 61846 (61846) Destination port: 25660 (25660) Length: 111 Checksum: 0x4b45 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Data (103 bytes) Data: 64313a6164323a696432303abe916abba14b8cb8a7167ce0...
What is meant by these arbitrary ICMP packets? I am afraid of rootkit. Kindly help.
operating system : windows 7 ultimate
-
user58859 about 13 yearsIt is dump of just one packet. My computer is continuously sending these packets to 100 of different IP's.
-
Mircea Vutcovici about 13 yearsIs 192.168.1.2 the IP of your computer?
-
Zaid Amir about 13 yearsActually, it is the opposite of your answer.
-
Mircea Vutcovici about 13 yearsICMPs are not usually generated by processes. They are generated by the kernel. To be generated by a a process, they process have to use raw sockets or a library similar to pcap.
-
Mircea Vutcovici about 13 yearsrun in your Windwos:
netstat -ban|find "61846"
. This will show if you have an application that is listening on that port. I expect to find none. Try to find in your trace an UDP packet with the destination port 61846 -
Zaid Amir about 13 yearsThis kind of ICMP packet is not generated by ant application in the operating system, but by the operating system itself, in response to a packet coming in the opposite direction.
-
user58859 about 13 yearsThanks, I understood. I restarted my modem to change the IP and it stopped.