Network Analyzer: constant flow of ICMP packets to {myip}.ssh

November 8, 2015 1.3k views
Networking Security CentOS

I'm getting a constant flow (about 1 packet per second) of these ICMP network packets (See below). Can anyone enlighten me as to what is happening? My droplet is and the address ( changes in almost every packet. Thanks in advance.

tcpdump -nv icmp

14:31:28.860085 IP (tos 0xc0, ttl 64, id 4507, offset 0, flags [none], proto ICMP (1), length 80) > ICMP host unreachable - admin prohibited, length 60
IP (tos 0x0, ttl 113, id 31537, offset 0, flags [DF], proto TCP (6), length 52) > Flags [S], cksum 0xb79e (correct), seq 1121351023, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

2 Answers

The network capture you provided us shows your droplet sending an ICMP packet to with reason "unreachable - admin prohibited", presumably in regards to another connection attempt or packet.

  • Thank you for replying.

    I think I get that part, but just below that line, where the foreign ip begins (, was that the original request? It appears to be directed to my port 22. Does this mean I'm getting a portscan on 22 this frequently?

Here is a

tcpdump -nv tcp

20:24:08.884069 IP (tos 0x0, ttl 118, id 4251, offset 0, flags [DF], proto TCP (6), length 48) > Flags [S], cksum 0xe091 (correct), seq 1478118705, win 8192, options [mss 1460,nop,nop,sackOK], length 0

So I guess they are coming in tcp and the response going back out is icmp?

  • Yes, that is correct.

    • Do you read this as a connection attempt, or a port scan? Or is there a difference?

      • tcpdump wouldn't show the difference between the two, if there is one. Given how you don't seem to be accepting packets on port 22, there is no possibility of a connection being established. They would have to use port 50626.

        • Thanks again gp+digitalocean,

          The packets that these botnets/scanners are sending to my droplet, will that count against my data usage limits? I've logged about 15k unique ip's sending tcp packets to my ip:22 in about 24 hours, and my server sends an ICMP reply to each one.

          • Botnet traffic isn't any different than regular traffic and it will count against your transfer quotas if it's in the right direction.

  • (Fedora 22)

    I just changed my default iptables INPUT rule from

    -A INPUT -j REJECT --reject-with icmp-host-prohibited


    -A INPUT -j DROP

    and now I am no longer replying to each port 22 connection attempt.

Have another answer? Share your knowledge.