brandon at burn
Jul 27, 2011, 1:36 PM
Post #3 of 3
On Wed, 27 Jul 2011, Jeroen Massar wrote:
> On 2011-07-27 22:18 , Brandon Applegate wrote:
>> Just poking around in my home firewall logs. I have a tunnel to one of
>> my data centers giving the house ipv6. I noticed a steady flow of icmp
>> echo requests with the destination address being my firewall itself.
>> This pattern is steady (not a flood, but it is constant). They are all
>> 64 byte packets with the payload being the typical walk through ASCII.
>> A sample of the source addresses are here:
>> That's from ~ 1000 packets sample. A good amount of these come back as
>> Anyone know what this is ? Thanks.
> As the sources are mostly in backbone networks have you thought about
> somebody running an 'mtr' which does a per-hop ICMP request continuesly?
> But those would be echo responses on your side then not requests.
> The "walk through ASCII" sounds like a normal ping at least and could
> quite well be either fping or mtr too.
> If you can provide a packet dump of at least one of these packets
> (scrubbing src/dst if you want) that would help.
> One big question of course is if your 'dst' address (the 'firewall') is
> published anywhere or not.
I think I figured it out. I ran curl against the list and they are all
"Akamai GHost" servers on port 80. My firewall also runs bind and
therefore all the devices here trying their various updates are hitting
Akamai'zed services. I guess they are trying to get stats on latency to
the DNS server (which is my firewall).
I just didn't think it would be so constant.
I found this as well:
Looks fairly dated, wonder if it does anything.
Anyway, sorry for the noise and thanks for feedback. Unless someone from
Akamai sees this and can give me a bit more clue as to what's going on - I
think I will try to send them an email directly.