Thread Info
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 14315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Availability Group causes hundredthousands "echo requests a day"

seroal

Hi,

a recently installed sophos utm (sw:9.355) generated about 400k of echo requests a day. In the availability group, I set the setting to query udp/53 for dns server verification. But it also makes pings, even I didn´t configure it. Now the provider asks, why our devices are generating such big amounts of pings....

Is it normal, that the availability group always creates icmp requests, additional to that setting, I made? Its strange, because it is the first time, I got an information about that. But in this case the dns servers aren´t replying to icmp requests.

If yes, is the only possibility to create a firewall rule to block that or what can I do?

Best Regards,

Sebastian



This thread was automatically locked due to age.
Parents

  • Sebastian, how do you know this is happening?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob,

    I made a tcpdump and captured the echo requests going to the hosts within the Availability Group for the dns servers. Then I removed the two dns servers, where the administrators saw this icmp echo requests and in that moment the tcpdump stopped to output icmp requests to this servers. So Im sure, that it is this Availabilitys Group. Currently, there is only the google dns server left in the group. And the utm generates icmp requests to 8.8.8.8 all the time.....  I only configured to test udp/53.

    Take a look at the capture:

    And take a look in the raw-data, its pretty obvious, what device generates the requests.

    The udp requests are also generated, as they are configured... Every 15 seconds...

    And this are the settings:

    Greetings,

    Sebastian

  • in reply to seroal

    Hi Sebastian,

    I don't see a source IP address in the pcap screenshot. I also checked this on our test UTM and I cannot discover any ICMP requests generated via UTM itself.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to seroal

    Interesting, Sebastian ... what happens if you add a Host for 8.8.4.4 in the Availability Group?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob,

    as expected, the host 8.8.4.4 is also beeing queried.... I think icmp requests are always done, independed from the settings for the availability group. Should be easy for sophos to say, if it´s per design....

  • in reply to BAlfson

    Hi again,

    now I have an offical answer from sophos. They say it is a feature, as also described in the online help:

    Monitoring type (only with type Availability group): Select the service protocol for the alive status checks. Select either TCP (TCPClosed connection establishment), UDP (UDPClosed connection establishment), Ping (ICMPClosed Ping), HTTP host (HTTPClosed requests), or HTTPS hosts (HTTPSClosed requests) for monitoring. When using UDP a ping request will be sent initially which, if successful, is followed by a UDP packet with a payload of 0. If ping does not succeed or the ICMP port is unreachable, the host is regarded as down.


    So, they can´t help me in this case. Even if I don´t want/need to send icmp requests, it can´t be avoided with an availability group...

    I also tried to use a firewall rule to built a workarround, but that seems to have no impact.... So for me no sultion here. Sophos either can´t or doesn´t want to help me out....

    Regards

    Sebastian

  • in reply to seroal

    Sebastian, have you perhaps made the setting in Uplink Monitoring but not in the 'Advanced' section of your Availability group(s)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob,

    the settings are all correct. As I said, this is the official behaviour, got the information from Sophos directly... The result should be the same on any utm with v9.3.... So if you configure an availability group a ping is always made, even if your settings are configured for udp port 53 for example.

    Regards

    Sebastian

  • in reply to seroal

    Thanks, I see that now, Sebastian.  Now that I think about it, the difference is that there's no ACK packet that comes back from a UDP message as there is with a TCP SYN.  If you change to TCP 53, what happens?  How many Availability Groups are configured on that UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    The question is how sophos implements this feature. I dont know, why they have told the utm to make icmp requests, when the settings is to check for udp. I think it is a "cheap" check to verifty the port is reachable, which relies primarily on icmp . But I really have no clue why they do it this way.

    For example, with nmap you can simply check udp/53 this way: nmap -sU -p U:53 8.8.8.8 No icmp needed.

    And now, as you already mentioned, my idea was to use tcp/53. As the utm manual doesn´t mention anything from icmp in relation to with the tcp check, that could work....

    But this took weeks to get an apropiate answer.

    Regards

    Sebastian

Reply
  • in reply to BAlfson

    The question is how sophos implements this feature. I dont know, why they have told the utm to make icmp requests, when the settings is to check for udp. I think it is a "cheap" check to verifty the port is reachable, which relies primarily on icmp . But I really have no clue why they do it this way.

    For example, with nmap you can simply check udp/53 this way: nmap -sU -p U:53 8.8.8.8 No icmp needed.

    And now, as you already mentioned, my idea was to use tcp/53. As the utm manual doesn´t mention anything from icmp in relation to with the tcp check, that could work....

    But this took weeks to get an apropiate answer.

    Regards

    Sebastian

Children
No Data
Unfiltered HTML