K7212: Ping packets sent to FirePass are reported as lost when the -f switch is used
Non-Diagnostic
Original Publication Date: May 2, 2007
Update Date: Jan 25, 2018
Topic
When the ping -f command is used from a Linux or UNIX system to ping a FirePass controller, the ping command will report significant packet loss, upon termination of the pinging.
The ping utility sends Internet Control Message Protocol (ICMP) Echo Request packets (ICMP type=8, code=0) to the target specified, and listens for ICMP Echo Reply packets (ICMP type=0, code=0).
When the ping -f command is run from a Linux or UNIX operating system, the ping utility will flood the target with large numbers of packets per second. The flood continues until terminated by the user.
Note: The ping utility that is bundled with Microsoft Windows operating systems does not offer the flooding feature.
When the target is a FirePass controller, the statistics reported by the ping utility upon termination of the command will show significant packet loss. The FirePass controller will rate-limit ICMP responses as a security measure against types of attacks designed to use an intermediary host as an amplifier, or as a means to camouflage the attack's source. After an initial period of responses to every request, the rate limiting causes only one Echo Response packet per .1 second. The remaining Echo Request packets will go unanswered, causing the packet loss statistic. You can observe this behavior in a network packet trace.
For example:
[root@localhost ~]# tcpdump -c 200 icmp tcpdump: listening on eth0 10:56:14.419942 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.420188 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.421291 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.421420 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.424771 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.424918 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.426674 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.426790 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.427623 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.427788 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.431343 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.431541 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.433322 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.445227 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.455261 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.475253 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.497228 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.517369 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.517485 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.518793 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.535262 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.557222 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.577512 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.597298 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.617525 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.617675 172.30.8.11 > 172.30.8.240: icmp: echo reply 10:56:14.618954 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.635258 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.657399 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.677358 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.697340 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.717377 172.30.8.240 > 172.30.8.11: icmp: echo request (DF) 10:56:14.717616 172.30.8.11 > 172.30.8.240: icmp: echo reply
The corresponding statistics from this ping packet show 83 percent packet loss as a result of the rate limiting:
--- 172.30.8.11 ping statistics --- 2603 packets transmitted, 437 received, 83% packet loss, time 43186ms rtt min/avg/max/mdev = 0.135/0.207/0.304/0.038 ms, ipg/ewma 16.597/0.194 ms
Note: The network packet dump does not show all ping packets, due to the large number of packets sent.
Applies to:
Product: Legacy Products, FirePass 6.0.1, 6.0.0