WAN pinging public IP addresses

BlueT_C

Hi all,

I recently noticed that my WAN interface is constantly pinging a few public IP address (1 ping every 2 seconds) that belongs to Amazon (99.86.32.0/21). I do not have gateway monitoring configured to this IP ( I actually disabled gw monitoring for the sake of testing) and am wondering what this is about.
I have SNORT on this interface, and was looking around to find anything related but found nothing out of the ordinary.

This is the SID I'm talking about:
snort[2694]: [1:29456:3] PROTOCOL-ICMP Unusual PING detected [Classification: Information Leak] [Priority: 2] {ICMP} 172.16.100.253 -> 99.86.32.26

I did find posts saying that this rule should be disabled but it was related to internal>internal pinging, not internal>external pinging. This is an odd this traffic and was wondering if anyone knows/have faced the same issue before? Thanks.

NollipfSense

@BlueT_C Usually, ICMP traffic is harmless; however, if you're like me, the idea that some IP address constantly pinging mine is worrisome indeed ICMP or not. Yours seems excessive ping every 2 seconds ...wow! I would encourage you to put Snort on your LAN interface instead of WAN so you can see clearly which LAN device involved ... or, are you saying the IP 172.16.100.253 doesn't belong to your network? Still, it always better to have Snort on LAN as you see all activities without the NAT.

JKnott

@BlueT_C said in WAN pinging public IP addresses:

172.16.100.253

What device is that?

NollipfSense

@JKnott Was wondering whether that's the OP's WAN address since OP has Snort on WAN and whether OP's ISP giving private IP or the ISP network pinging Amazon.

BlueT_C

I figured it out. Thanks NollipfSense and JKnott for replying. Also I should have been more specific as to what gear I was using. So I'm double-natted (yeah, call me crazy), my setup is ISP router>PFsense (that's why WAN here is 172.16.100.253) >internal LANs.

It turns out is was an old netgear nighthawk I decided to bring back to life and use it as an extra AP.

I did look at Snort logs in the LAN interface and found nothing (ICMP are not visible there). So I decided to do it the old fashion way of shutting down all devices I had. 30 smart devices later, I found out it was the AP.

Looking at the netgear device, I was looking for any configuration that would lead to those amazon IPs and found a disabled service called netgear readycloud. I nslookup readycloud.netgear.com and bingo:

readycloud.netgear.com
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
Name: d1txhgvvqyji4k.cloudfront.net
Addresses: 2600:9000:2164:7600:c:3ea7:2100:93a1
99.86.32.21
99.86.32.54
99.86.32.91
99.86.32.112
Aliases: readycloud.netgear.com

It blew my mind that even though the service is disabled, it's pinging continuously the Netgear subdomain. I found no other option related to readycloud that I could stop this non-sense.

I'll decide tomorrow if I'm jut going to block the traffic on PFsense (not bandwidth-effective) or just chuck this thing.

Thanks again everyone, at least this post might help someone in the future.

JKnott

@BlueT_C said in WAN pinging public IP addresses:

So I'm double-natted (yeah, call me crazy)

@crazy
Can't you put the ISP modem in bridge mode?

BlueT_C

@JKnott, I have a DMZ between ISP router and PFsense, for a internal lab behind the firewall. For what I'm currently working on, this setup works well.

stephenw10

Which Nighhawk is it?
https://openwrt.org/toh/netgear/start

Steve

BlueT_C

@stephenw10 R6400, not sure if it works on openwrt, but it does works with ddwrt firmware, cause I had it on some time ago.
Actually that's not a bad idea you know? Geezzz, I could just install dd-wrt, it would certainly get rid of these stupid pings. I totally forgot about this option. Great "suggestion/question" stephenw10 thanks!

stephenw10

No worries. Better than junking it.