ICMP = Port Unreachable over and over

Every 5 seconds I get Medium severity “Outbound Policy Violation (access denied, ICMP = Port Unreachable)” in my logs, and I can’t seem to figure out the source.

As far as I can tell, my computer is sending ICMP traffic out every 5 seconds to various IP addresses, or atleast it’s trying to (firewall is blocking as far as I can tell, or atleast I’d hope so, since it’s showing up in the logs). If there is some way to add a rule to prevent this traffic, or some way to discover what is causing it, I’d be greatly appreciative. The only things running are various windows services, and Comodo firewall, so as far as I know, there is nothing running that could possibly be sending all the ICMP requests out. TCPview reports only the services, and comodo’s “Connections” page reports nothing connected.

Here is a sample log entry if it helps

Description: Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol: ICMP Outgoing
Source: 192.168.1.33
Destination: 82.253.246.127
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 8

and apparently Network Monitor rule ID 8 is… (If that is what it means by Network Control Rule 8.)

BLOCK and LOG IP IN or OUT FROM IP [Any] WHERE IPPROTO IS ANY

Do I need IPPROTO? And if so, why is my computer sending ICMP to various IP’s in the first place?

Normaly, ICMP are sent by the system. Its not some kind of application etc.

“Port Unreachable” ICMP are sent when other PC in LAN (or WAN if you have actual internet IP) tries to figure out yours PC ports status (opened/closed)

The frequency of this kind of responses, however, is not normal in your case if you are connected to the internet directly (no LAN).

How long does this goes ?
If your ISP gives you different IP every time you connect, check is this will repeat after you reconnect?

The 82.x.x.x IP is Proxad/Free SAS, an ISP and webhosting service in France. Possibly used by Firefox extensions (if you use that browser)? Ring any bells with you?

Also, is this happening at any specific time? Such as when you first open the browser, when you close the browser, use a p2p application (or close one), etc…

LM

Unfortunately, that’s only one of the many IP addresses that my computer seems to be attempting to send ICMP traffic to. The only firefox add-ons I use are NoScript, Linkification, and DownThemAll, none of which my computer should be sending traffic to.

A few more IP’s that are being erroneously sent data (I hope there is some way to fix this =/)

213.132.37.98
87.227.4.142
217.232.68.183
24.185.87.142
(The list goes on and on, so I’ll truncate it here)

I could post the entire log if it would be helpful, but it’s basically all the same error, but with different IP’s. And firefox isn’t running when these errors are happening (though starting firefox does nothing to stop them).

Do you use any applications like peer-to-peer (eMule, uTorrent, etc)? Or any other type that create/accept high-volume connections?

LM

I use MIRC (without allowing DCC or any of that, so only the one connection to the server) and Azureus (Though it has been off for over a day at this point, and I’m still getting things showing up in the log).

It’s not uncommon to see residual ICMP (especially Port Unreachable) but mostly Inbound, not Out. And not more than a day after…

Have you used a traffic monitor like TCPView or CurrPorts to review the connections/attempted connections?

Or have you considered delving into the world of packet sniffers, to see all this in minute detail?

LM

TCPview shows nothing established, but alg.exe listening , svchost.exe listening, and both netbios and microsoft-ds listening (though the last two items should be getting snuffed by my router’s firewall).

I wouldn’t know how to log packets, other than an application like wireshark. I’ve been told that applications such as that will actually worsen your systems security though. Is there a non-invasive way to look at individual packets?

AFAIK, wireshark will not negatively impact your security. Obviously you’ll need to Allow it within CFP, in order for it to do its job. But I’m not aware of any security issues with it. I’ve used it a couple times myself, although I don’t have it installed at the moment.

A packet sniffer is the only way, though, for you to see what’s really going on. On the other side, if you’re comfortable just knowing that the connections are blocked (which your logs have confirmed), and don’t really care why they are there, it’s easy enough to create a Network Monitor rule to block without logging, so you won’t have to worry with them any more.

LM

I installed wireshark (ethereal), hopefully it’s not making my problem worse =P

The only traffic it it logging is (other than traffic from one computer on my internal network to another)

Source: 24.185.87.142 (and other IP’s that are showing up in Comodo’s logs)
Destination: 192.168.1.33
Protocol: UDP
Source Port: Various
Destination port: The port I had Azureus listening on

I guess this means that people I was previously connected too, are still trying to get data from me, even though I no longer have Azureus open? Every third or so time, it changes to TCP traffic, on the same port. Is there a way to prevent this? O_O

I’m a bit confused also. The firewall reports I’m the source, and Wireshark reports that the other guy is the source. Which program is correct?

Depending on how your Network Monitor rules are configured, you may still be accepting the Inbound connection, but NetMon won’t let the response go back out.

The Allowed Inbound wouldn’t be logged, but the Blocked Outbound would.

That would be kind of odd, though.

What happens in general w/p2p apps is that after you’re closed, there’s still a large volume of traffic flowing, and the p2p app on the other end doesn’t know you’re no longer there. So it keeps trying to maintain the connection as if you were still on; probably unbeknownst to the user.

LM

Is there a way to set it up so that the port only accepts traffic when Azureus is running? Right now, my rule is that any TCP/UDP in is allowed from any source, with any destination, as long as it’s trying to connect on the port Azureus is set to listen on. I realize that this isn’t the safest method, but I’m somewhat of a noob, and it was the only thing I could think of to make Azureus work.

If you can think of a way to do that, I’d be greatly appreciative. Wireshark doesn’t show any outbound traffic to those IP addresses, so you are right I assume, that only the inbound attempt is getting through. If so, I’d still like a way to keep that inbound traffic from getting through at all, since (I would guess) the problem isn’t being solved, since the other machines can tell I’m here, and thus keep trying to connect even though Azureus is shut off.

At the very least, I feel a little better knowing that it’s probably not some sort of attack.

Can you try to connect to the internet in some other way. Like with your mobile (GPRS) or any other way, just to check if the problem remains ?

Will you open your Network Monitor to full-screen size, click on the rule you have made for Azureus’ connections, and capture a screenshot of it?

Save the screenshot as an image file (jpg, gif, or png) and attach to your post using the bold red “Additional Options” right below your text-box.

That way we can see what your rules are.

Tnx,

LM

With the exception of rules 0,1,9, and 10, everything is set to default. 9 and 10 are for internally networked PC’s, 0 is Azureus, and 1 is what was added when I did the “Add a trusted network” task.

Hope this helps.

[attachment deleted by admin]

sam2121, everything that is after
BLOCK&LOG IP Any Any IPPROTO=Any …
is useless. Because TCP/UDP/ICMP are build on IP. So that rule (block) - will block them all. At least thats how it should work…

Tnx for the screenshot.

Mistweaver’s correct; those bottom two rules will be blocked. You will want to highlight and use the Move buttons to bring them up over that Block & Log All rule; it needs to be the last one, as NetMon filters traffic from Top to Bottom. That Block rule is your safetynet, so it needs to remain in last position.

Other than that, I don’t see anything obviously out of place. The two ICMP In rules (ID 5 & 6, I think)… will you open each one to Edit, and click the box “Create an Alert if this rule is fired.” Then run Azureus as normal, and see if you’re getting logs on those rules after you close it down. If so, then we know that’s what’s occurring.

LM

Sorry for the delay in replying. I hate to admit it, but “Page 2” threw me for a loop =P

The second I started Azureus (after creating the alert on firing) I got "Info Network Monitor Information (access granted, ICMP = NEEDED FRAGMENTATION)

and then one Medium alert logged for an outbound policy violation (Access Denied, Protocol = IGMP) which is a new one to me. The second I turned off Azureus, I got a TON of the old ICMP = Port Unreachable messages. Is my inference correct, that their clients are somewhat poorly setup, and they keep requesting data even after I’ve turned off my client? Atleast I know that it’s not my client that keeps requesting data, but it seems like fixing something on their end would be impossible =/

Hi guys,
I get the same logs, only a lot more of them. I also think that the suggestions so far are right. The reason is the bittorrent client. My question is:

Is there a security loss if I allow ICPM port unreachable msg?

So that the destionation address knows that this port is not opened and prevent him from retring? Do port scaners benefit from that action?

This has been asked before many times. I haven’t experienced any security issues with allowing ICMP. Here’s one thread:
https://forums.comodo.com/help/network_control_rule_id6_resolved-t7185.0.html;msg52574#msg52574

So it’s a debate between being “stealth” or not if you allowed certain ICMP connections.