Thread Info
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 14307 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Availability Group causes hundredthousands "echo requests a day"

seroal

Hi,

a recently installed sophos utm (sw:9.355) generated about 400k of echo requests a day. In the availability group, I set the setting to query udp/53 for dns server verification. But it also makes pings, even I didn´t configure it. Now the provider asks, why our devices are generating such big amounts of pings....

Is it normal, that the availability group always creates icmp requests, additional to that setting, I made? Its strange, because it is the first time, I got an information about that. But in this case the dns servers aren´t replying to icmp requests.

If yes, is the only possibility to create a firewall rule to block that or what can I do?

Best Regards,

Sebastian



This thread was automatically locked due to age.
  • in reply to seroal

    Thanks, I see that now, Sebastian.  Now that I think about it, the difference is that there's no ACK packet that comes back from a UDP message as there is with a TCP SYN.  If you change to TCP 53, what happens?  How many Availability Groups are configured on that UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    The question is how sophos implements this feature. I dont know, why they have told the utm to make icmp requests, when the settings is to check for udp. I think it is a "cheap" check to verifty the port is reachable, which relies primarily on icmp . But I really have no clue why they do it this way.

    For example, with nmap you can simply check udp/53 this way: nmap -sU -p U:53 8.8.8.8 No icmp needed.

    And now, as you already mentioned, my idea was to use tcp/53. As the utm manual doesn´t mention anything from icmp in relation to with the tcp check, that could work....

    But this took weeks to get an apropiate answer.

    Regards

    Sebastian

  • All,

    This is a known behavior in UTM and considered normal as far as nothing is effected. This is taken into consideration under NUTM-4760 but unfortunately, there will be no change as of now.

    Thanks for the patience. 

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML