Would a website ping me?

I was just looking through my logs yesterday when i noticed quite a few Blocked ICMP entries. These where all Type(3) in the source column Type(10)[not code 10] in the destination column.

Now this has me confused because i look at the ICMP list and i see Type 3 Code 10 as being Destination unreachable->Host Administravely Prohibited.

Type 10 is along the lines of Router Solicitation.

Now ive looked into the IP addresses that are in the logs and they are from China(Im in the UK), something to do with a company called vdoing. Why they would be pinging me (or whatever happened) is what i cant fathom out. Reason is im behind a NAT router with SPI (stateful packet inspection) which has me concerned and wondering was the router by-passed!
This is a copy of the IPnetinfo concerning the IPs from China,plus a pick of my logs attached. What im wondering is if i go to some website :wink: would it be likely that this is when this occured. I dont think anything bad has happened because the browser would be sandboxed and there doesnt seem to be anything wrong.
Could this be the website has an Internet-Chat thing on it and that is what was doing this? What i find strange is the times are both Sunday ~7pm.
Anyone any ideas? Is this just something attached to a website?
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 113.31.16.0 - 113.31.31.255
netname: GBN
descr: Brains Ocean Co.Ltd
descr: B-206 SinoTrans Tower, No.43 Xizhimen North street, HaiDian District,Beijing,PRC
country: CN
admin-c: NZ107-AP
tech-c: CL1927-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
status: ASSIGNED NON-PORTABLE
changed: ipas@cnnic.cn 20090109
source: APNIC

route: 113.31.16.0/20
descr: CNC Group CHINA169 Tianjin Province network
descr: Addresses from CNNIC
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20081216
source: APNIC

person: Ning Zhao
address: Brains Ocean Co.Ltd
country: CN
phone: +86-010-62269499
fax-no: +86-010-62269649
e-mail: zhaon@wososo.com
nic-hdl: NZ107-AP
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.net.cn 20081016
source: APNIC

person: Chang Liu
address: Brains Ocean Co.Ltd
country: CN
phone: +86-010-62269499
fax-no: +86-010-62269649
e-mail: keepie@163.com
nic-hdl: CL1927-AP
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.net.cn 20081016
source: APNIC

inetnum: 113.31.0.0 - 113.31.255.255
netname: GBN
descr: Brains Ocean Co.Ltd
descr: B-206 SinoTrans Tower, No.43 Xizhimen North street, HaiDian District,Beijing,PRC
country: CN
admin-c: NZ1-CN
tech-c: GZ4-CN
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CN-GBN
status: ALLOCATED PORTABLE
changed: ipas@cnnic.cn 20090417
source: CNNIC

person: Ning Zhao
address: Brains Ocean Co.Ltd
country: CN
phone: +86-010-62269499
fax-no: +86-010-62269649
e-mail: zhaon@wososo.com
nic-hdl: NZ1-CN
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.net.cn 20081017
source: CNNIC

person: Guang Zhao
address: Brains Ocean Co.Ltd.
country: CN
phone: +86-010-62269499
fax-no: +86-010-62277366
e-mail: lucienzhao@gmail.com
nic-hdl: GZ4-CN
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20090417
source: CNNIC


Cheers, Matt

[attachment deleted by admin]

It is possible that its a malicious Web Server. But if that’s True, I don’t think its attacking from the same IP as the Web Server which is hosting the website you visited (I could be wrong). As these IP’s don’t seem to Resolve to a Domain:

210.51.44.101
113.31.17.11
210.51.44.109

http://www.hcidata.info/host2ip.cgi

http://210.51.44.109/
http://113.31.17.11/

I think Vdoing has something to do with an Instant Messenger Service of which a Client can be Downloaded from ‘here’.

More info’…
(CTRL+F and type ‘vdo’.)

Could this be the website has an Internet-Chat thing on it and that is what was doing this?

Sounds good to me. :-TU

I was just looking through my logs yesterday when i noticed quite a few Blocked ICMP entries. These where all Type(3) in the source column Type(10)[not code 10] in the destination column.

It’s ICMP type 3 subtype 10. CIS records the two parts of the ICMP message code in the source and destination ports. Source port gets the major type, destination gets the subtype.

The ICMP 3.10 says that a packet from your machine ran into somebody’s host machine firewall.

Thanks Grue, you`ve sort of put my mind at ease.Basically what your saying is that allthough the source IP is not my LAN IP (the destination is) the way the firewall reacts to these ICMP messages is as it would for a regular blocked ICMP from another computer.

It just cerrfuddled me and i thought the Router had/was/is being by-passed, it did it again this last Sunday on a couple of day old Win 7 install (from Microsoft btw) with XP on another drive.
What concerns me is that it does it Sunday afternoon only.

I`m gonna keep an eye out.

Cheers,
Matt

It’s something of the nature of ICMP traffic. Because a lot of ICMP traffic is some kind of error message, the packet has to somehow say “who” is throwing the error. It’s usually an intervening router, or the destination itself. When it’s some router sending the ICMP, when the ICMP gets back to your machine, your machine has to somehow match that ICMP up with some earlier outbound packet to know tell your app “oops, problem”. The way used to do that, is source IP address.

But, stateful firewall inspection can get in the way. Web browser TCP out expects to have TCP back. Instead ICMP comes backs, and the bits don’t line up the same way. Since the OS does the heavy lifting of matching ICMP to app, there’s no need for a firewall to do. It just needs to let ICMP 3.x thru to the OS, and that’s not something that CIS makes all that easy to do (too many 3.x subtypes, and there isn’t an “any subtype” choice, so it’s an enumerated list).

Thanks for the explanation Grue, much appreciated.

I did some reading on Firewall.cx today and now with your help the pieces are falling into place.From what i read it seems ICMP can be very useful for networking(both small and large scale) but can also throw up some confusion(maybe not the right word).

Matt

Yes and in this case most probably the router just in front of the host, because it appears to know where the host is located based on the “host admin prohibited”.

This is normally caused by something on your computer trying to UDP connect to the host that is behind this router/firewall, the hosts ip address is in the data packet of this message but that does not get logged by CIS, the ip is from the filtering device…