Hello All,
We have an rb1200 v5.26.
My company has have been under constant attack for the last week and we have been successful in identifying and blocking the offending ip’s. But recently we have noticed about 330-200 KB’s of ICMP traffic being transmitted from our Wan port to some chinese IP.
I torched all other lan ports and found only a couple of bytes of ICMP traffic, all local ICMP traffic did not add up to what we see on wan.
So, it would seem that the ICMP traffic is originating from our router.
My question is this. How is this possible and how can we stop it?
Thanks in advance…
It is not uncommon for people to misinterpret what they see in Torch so firstly I would double check the direction.
Secondly, make sure nobody else left ping running on the router… 
If you are still left with a worry and want another pair of eyes to look at it drop me an email. There may may be a simple explanation. China does seem to spend a large part of its time probing IP numbers…
Thank you for the reply,
I triple checked and found no one running pings.
Here is a screenshot.
Have you checked what other traffic there is involving that host? If you sniff some of the traffic into a pcap file Wireshark can give a lot more info in the nature of the ICMP traffic.
Thank you for the reply.
I ended up just blocking the the who subnet of the offending attacker and the icmp traffic stopped.