exceptional message in firewall log caused by dude v2.2

rc-enr · April 23, 2008, 3:15pm

Hi,

we have sometimes alert messages in firewall log probably caused by dude:

Deny icmp reverse path check from 10.236.6.201 to 172.16.xxx.xxx on interface outside

172.16.xxx.xxx is the ip from dude server.
The bad ip 10.236.6.201 is not in our dude configuration.
There are 10 messages in 1 minute with same bad ip.
What causes these alert messages?

After first appearance we changed the machine where dude was installed but after some days we have the same message with new dude ip in firewall log.

Any idea?

Regards
Enrico

talon63 · April 23, 2008, 4:18pm

I’d say it’s a private IP address that does not allow the return of PING replies, or other ICMP-based traffic, in order to keep someone from hitting the interface with a DDOS attack. It is common practice to apply this to outward facing interfaces to provide some degree of security. Are you certain this is not an address that belongs to your carrier that is being detected by the Dude?
Of course, you should be able to blacklist the address so that Dude will ignore it.