Getting tons and tons of Amazon pings

I asked this on the CSF forum, but haven’t had any replies. It looks like that forum is mostly dead :frowning:

My server uses WHM/cPanel, and so I installed ConfigServer Firewall (CSF) several years ago. After signing on with Cloudflare, I installed the Cloudflare extension for CSF but didn’t do any customization for it.

I had a site user email me today with a screenshot of a Cloudflare error she was getting on my site, at 8:12pm EST. There’s nothing in the CF Events for that time, and I don’t see her IP address in the Events or CSF’s logs. But this is in the server’s /var/log/messages at that time:

Feb 5 20:12:08 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=13.234.35.125 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=225 ID=25927 DF PROTO=ICMP TYPE=8 CODE=0 ID=24 SEQ=17491

Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.27.243.34 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=238 ID=17887 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172

Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.25.244.230 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=235 ID=37271 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172

Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.27.215.45 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=238 ID=34018 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172

Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=54.226.52.109 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=233 ID=5851 DF PROTO=ICMP TYPE=8 CODE=0 ID=32 SEQ=18750

Each of the SRC= IPs trace back to Amazon, but the user that reported the error is using Charter internet (and the WHOIS info doesn’t say anything about Amazon).

I have all of Cloudflare’s IP ranges allowlisted, but I don’t see any of the blocked IPs in those ranges:

I removed all IPs from the Temporary and Permanent block lists, and that didn’t help. But when I disabled CSF, she hasn’t had a problem since.

I’m only guessing that Cloudflare is sending requests through Amazon IPs, and CSF is picking that up for some reason?

Any suggestions on how to fix that?

Hi there,

If you are seeing ICMP ping packets hitting your origin server from non-Cloudflare IP addresses then this traffic is going directly to your origin, and not routed through Cloudflare - as Cloudflare would not be forwarding ICMP packets to your origin.

Cloudflare is a reverse proxy for HTTP/S traffic and wouldn’t proxy requests through another ASN/IP range - you would only see traffic coming Cloudflare IPs, if it was routing through Cloudflare.

Your CSF firewall looks to be doing its job (blocking ICMP) - you also mention:

“I had a site user email me today with a screenshot of a Cloudflare error she was getting on my site, at 8:12pm EST.”

Do you think these ICMP packets are related to the error your site user was facing?

From what I can see, it looks like you have a firewall configured that is doing its job and blocking unwanted ICMP traffic, but that should not be affecting what users to your site are seeing over HTTP - unless you believe the amount of ICMP traffic is overloading your origin in some way?

I’m happy to advise more, but would be interested to hear what the users experience was and what error they were seeing?

Sorry for the late reply! I didn’t get a notification that anyone had replied.

Ten days ago, I disabled CSF entirely and the immediate problem stopped. But then I had other issues that CSF would have blocked. So I turned CSF back on about an hour ago (around midnight), and within a few minutes I had the same Cloudflare error!

I had removed all of the permanent and temporary blocked IPs, and allowlisted Cloudflare IPs.

You asked if I think these ICMP packets are related? When I looked at the “Last 100 iptables log” in CSF, I can see that 93 of the last 100 are ICMP. I looked up a few of them, and they were all from Amazon.

I have to assume that there’s some sort of ICMP flood attack happening that’s overwhelming my firewall? I don’t intentionally use AWS, though, and I’m not sure how it would get to the firewall without going through Cloudflare first.

I’m reaching out to my server provider, I’ll update if they have any ideas.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.