Pure python ping is causing my Zyxel router to trigger bad-icmp-l4-size ATTACK warning [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 8 years ago.

Improve this question

I'm using pure Python ping utility from ftp://ftp.visi.com/disk3/mdc/ping.py to monitor hosts across the network and my ZyWALL USG200 router is complaining like this:

from Any to DMZ, [type=ICMP-Decoder(8911017)] bad-icmp-l4-size ATTACK bad-icmp-l4-size Action: No Action Severity: medium

What could be wrong?

UPD: I'll try to capture actual packets via USG's maintenance menu and compare with Linux ping...

Answer 1

I've copied ping packet contents from WireShark analysis of captured packets - code had it as 192 letters Q, ping had it bit differently:

replace or insert after line 128

data = 192 * 'Q'

the correct definition of packet contents

data = 'e283030000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637'.decode("hex")

and warnings went away.

But indeed I may want to look for cleaner implementation as José suggests.

Answer 2

According to the warning of your router, looks like the ICMP packet is not well formed. Particularly, the size of the layer 4 (ICMP) of the packet seems to be wrong (bad-icmp-l4-size).

You should use something like tcpdump to get the content of the sent package, using something like:

sudo tcpdump -nnvXS -c1 icmp

In your situation, I'd rather look for another implementation. That code is a mess.