High number of ICMP ping packets ONLY when CSF is on
Posted: 20 Feb 2024, 18:21
I'm running CentOS v7.9.2009 with WHM/cPanel. I use Cloudflare and CSF with the Cloudflare extension.
A few weeks ago, my sites started throwing intermittent Cloudflare 520 errors. The server load was fine and there was nothing in the Cloudflare logs, but I saw tons of these in /var/log/messages:
Feb 5 20:12:08 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=13.234.35.125 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=225 ID=25927 DF PROTO=ICMP TYPE=8 CODE=0 ID=24 SEQ=17491
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.27.243.34 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=238 ID=17887 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.25.244.230 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=235 ID=37271 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.27.215.45 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=238 ID=34018 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=54.226.52.109 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=233 ID=5851 DF PROTO=ICMP TYPE=8 CODE=0 ID=32 SEQ=18750
All of the SRC= IPs trace back to Amazon.
I flushed all of the temporary and permanent blocks in CSF, but that didn't help. I also made sure that all Cloudflare IPs were whitelisted. But I found that if I disabled CSF then the problem went away!
I sort of forgot about it until a few days ago, and then I turned CSF back on. Within 30 seconds I started seeing a spike in ICMP_IN Blocked; again, all pointing to Amazon IPs. When I looked at the "Last 100 ip tables log" in CSF, 93 of the last 100 were ICMP.
I posted in the Cloudflare forum with no help. I reached out to my server provider, too, but they don't see a problem on their end.
Any suggestions?
A few weeks ago, my sites started throwing intermittent Cloudflare 520 errors. The server load was fine and there was nothing in the Cloudflare logs, but I saw tons of these in /var/log/messages:
Feb 5 20:12:08 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=13.234.35.125 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=225 ID=25927 DF PROTO=ICMP TYPE=8 CODE=0 ID=24 SEQ=17491
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.27.243.34 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=238 ID=17887 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.25.244.230 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=235 ID=37271 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=3.27.215.45 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=238 ID=34018 DF PROTO=ICMP TYPE=8 CODE=0 ID=9 SEQ=20172
Feb 5 20:12:09 xxxx kernel: Firewall: ICMP_IN Blocked IN=venet0 OUT= MAC= SRC=54.226.52.109 DST=xxx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=233 ID=5851 DF PROTO=ICMP TYPE=8 CODE=0 ID=32 SEQ=18750
All of the SRC= IPs trace back to Amazon.
I flushed all of the temporary and permanent blocks in CSF, but that didn't help. I also made sure that all Cloudflare IPs were whitelisted. But I found that if I disabled CSF then the problem went away!
I sort of forgot about it until a few days ago, and then I turned CSF back on. Within 30 seconds I started seeing a spike in ICMP_IN Blocked; again, all pointing to Amazon IPs. When I looked at the "Last 100 ip tables log" in CSF, 93 of the last 100 were ICMP.
I posted in the Cloudflare forum with no help. I reached out to my server provider, too, but they don't see a problem on their end.
Any suggestions?