My computer is sending ICMP packets to arbitrary destinations

Question

My computer is sending ICMP packets to arbitrary destinations. I can't understand the reason. Dump of one of the packet is :

Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 3 (Port unreachable)
    Checksum: 0x811b [correct]
    Internet Protocol, Src: 80.167.113.76 (80.167.113.76), Dst: 192.168.1.2 (192.168.1.2)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 131
        Identification: 0x0631 (1585)
        Flags: 0x00
            0... .... = Reserved bit: Not set
            .0.. .... = Don't fragment: Not set
            ..0. .... = More fragments: Not set
        Fragment offset: 0
        Time to live: 111
        Protocol: UDP (17)
        Header checksum: 0xc19b [correct]
            [Good: True]
            [Bad: False]
        Source: 80.167.113.76 (80.167.113.76)
        Destination: 192.168.1.2 (192.168.1.2)
    User Datagram Protocol, Src Port: 61846 (61846), Dst Port: 25660 (25660)
        Source port: 61846 (61846)
        Destination port: 25660 (25660)
        Length: 111
        Checksum: 0x4b45 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Data (103 bytes)

Data: 64313a6164323a696432303abe916abba14b8cb8a7167ce0...

What is meant by these arbitrary ICMP packets? I am afraid of rootkit. Kindly help.

operating system : windows 7 ultimate

score 5 · Accepted Answer · answered Feb 14 '11 at 19:24

This is normal, and alone should not be reason for any worries. What happened is that the computer with IP 80.167.113.76 sent an UDP packet to your computer, to port 25660. You don't have anything running in your computer waiting for UDP packets in this port, then your computer sends this ICMP packet back to the origin telling that nothing was reached at the given port (ICMP Type=3 Code=3 → Port unreachable). The ICMP packet contains a copy of the headers of the packet originally sent (in the opposite direction).

If you are getting this information from a packet sniffer (looks like wireshark?), then look for an incoming UDP packet from that IP arriving before the packet you just copied in this question.

Certainly you are using an ISP which dynamically assigns IP addresses to users. Probably your current IP address was being used by someone running some P2P application, and your IP plus this port combination was cached on someone else's application, and then that one tried to connect back to the original user who was using this IP.

No need for worry, really. But if it bothers you, you may want to install a stateful firewall that simply DROPs packets for non-tracked sessions. Instead of sending a "Port Unreachable" message to the origin, the firewall simply drops the original packet since it will not be in its internal connection table.

Thanks, I understood. I restarted my modem to change the IP and it stopped. — user58859, Feb 14 '11 at 19:29

score 2 · Answer 2 · answered Feb 14 '11 at 19:17

2

A tool like TCPView should let you see which process is creating this packets. That should give you a better idea of their purpose.

http://technet.microsoft.com/en-us/sysinternals/bb897437

answered Feb 14 '11 at 19:17

Alistair McMillan

434
3
9
22

1

ICMPs are not usually generated by processes. They are generated by the kernel. To be generated by a a process, they process have to use raw sockets or a library similar to pcap. – Mircea Vutcovici Feb 14 '11 at 19:24
2

This kind of ICMP packet is not generated by ant application in the operating system, but by the operating system itself, in response to a packet coming in the opposite direction. – Juliano Feb 14 '11 at 19:28

score 0 · Answer 3 · answered Feb 14 '11 at 19:08

0

I think you are receiving ICMP Port unreachable for UDP 80.167.113.76 on port 25660. This means that an application on your computer is trying to connect to 80.167.113.76:25660 via UDP protocol and no remote service is listening on that port, or it is filtered.

May be you are running a P2P application which is trying to connect to some clients that are behind a firewall.

answered Feb 14 '11 at 19:08

Mircea Vutcovici

17,619
4
56
83

It is dump of just one packet. My computer is continuously sending these packets to 100 of different IP's. – user58859 Feb 14 '11 at 19:11
Is 192.168.1.2 the IP of your computer? – Mircea Vutcovici Feb 14 '11 at 19:14
1

Actually, it is the opposite of your answer. – Juliano Feb 14 '11 at 19:16
run in your Windwos: `netstat -ban|find "61846"`. This will show if you have an application that is listening on that port. I expect to find none. Try to find in your trace an UDP packet with the destination port 61846 – Mircea Vutcovici Feb 14 '11 at 19:25

score 0 · Answer 4 · edited Nov 10 '11 at 02:22

ICMP is stateless (no session) so it is difficult to track a process that is creating the requests using common networking tools for windows.

Use a tool like listdlls from sysinternals. You can then see what process has loaded icmp.dll:

C:\Documents and Settings\user>listdlls -d icmp

ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com

----------------------------------------------------------------
Belkinwcui.exe pid: 2484
Command line: "C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe"

Base        Size      Path
0x74290000  0x4000    ICMP.DLL

-http://www.linkedin.com/answers/technology/information-technology/computer-networking/TCH_ITS_CNW/12726-1647009

My computer is sending ICMP packets to arbitrary destinations

4 Answers4