BEFW11S4 Thowing out ICMP garbage

[snakeroot007]

After recently installing 4 of these units, our network was completely trashed. A network sniff showed ICMP packets galore (digital projectile vomit on our network). We've got an ATM and couldn't even get out on the net. It completely usurped 6.5 megs of bandwidth.

Using Sniffit I was able to determine that Welchia seemed to trigger the activity (although I can't solely blame it on a worm). I kept playing with the settings and finally got it to calm down. I assumed (I know... I know)... that being a switch the 4 ports on the Linksys would act just like other hardware on our network... but I was wrong. Seems that the Linksys is 'smarter' (haha). It knows the difference between a crossover/straight cable, besides how to continually send out echo packets.

But, the setting in question is the router/gateway under Dynamic Routing. The default is gateway, but traffic seemed to subside when set to router. Being that I'm not even using the Internet port should this matter?

Sorry to ramble... don't spam me, I have enough problems working with teachers...

Snakeroot007

 

[bcastner]

What was the type field on the ICMP packets. It is likely a remote router registration request. Set the mode to router if you are not using the WAN port.

 

[snakeroot007]

Primarily type: echo.

The problem arose again this morning and I think I've narrowed it down further. May be a bad linksys.

 

[snakeroot007]

Not a bad linksys. It goes for about an hour and then it all breaks loose. Sniffit reports this:

ICMP message id: 192.168.0.1 > 192.168.0.35
ICMP type: Destination unreachable
Error: Port unreachable
ICMP message concerned following IP packet:
from 192.168.0.35 to 192.168.0.1
IP Packet precedence: Routine (---)
ID: 0x95FF FLAGS: -- -- Time to live (secs): 128
Protocol (17): UDP

I get these by the millions (some read unreachable, some read echo).

 

[bcastner]

The linksys in router mode is not forwarding the packets from whoever client 192.168.0.35 may be.

Time to find the client at that IP.
It is likely a static ip assignment.

 

[snakeroot007]

I've confirmed that the IP is DHCP. I should have clarified that this is only a sample log, some say 169.244.68.171 to 169.244.28.1, etc. Before I give up on the Linksys, I'm going to run the latest firmware (which didn't appear to have promising changes).

 

[snakeroot007]

Turns out I already have the latest version...

 

[bcastner]

This looks to me like Sobig or variant traffic. Many SMTP servers make ICMP temporary registration requests when you attempt to send mail. SoBig and variants use the MAPI service of a computer and IP spoofing among other tricks to send out thousands of email packages in a short period of time.

 

[snakeroot007]

Thanks bcastner for your advice.

I patched all our XP and other Windows machines and ran all the fixes. The problem returned after about an hour.

I replaced the ap's with D-Link AirPlus DI-614+ units and the problem seems to be gone. Our entire wireless network is working now and and I've been sniffing all a-m with minimal echo's (mainly from outside our network).

I like Linksys better (strong antennas and such), so if you comes up with a solution I'd love to hear it. I'd really be curious to chat with anyone else who's had the same problem...