main_icn_My_Vodafone main_icn_Search main_icn_Chevron_right main_icn_Chevron_down main_icn_Close main_icn_Menu social-facebook social-google-plus social-linkedin social-twitter social-youtube main_icn_Community_or_Foundation main_icn_Location main_icn_Network_signal

Android

Why is my new Vodafone S7 sending ICMP fragments to my firewall?

tobiz
2: Seeker

My new Vodafone S7 is sending ICMP fragments to my firewall.  My router firewall rules take these to be a DoS attack and is configured to send me an email when such attacks occur. I've tried turning off the WiFi on the S7 and this causes the ICMP fragments stop. I've tried setting the S7 into Air plane mode and the ICMP fragments stop. It has been suggested elsewhere that the problem is caused as follows: the mobile phone connection uses IPV6 and when a connection is made the phone sends 'keepalives' using IPV4 over the WiFi connection (ie the 'internet'), it is these IPV4 keepalives that are causing ICMP fragments. I have no way of knowing if this is correct, however if it is correct ICMP fragments should not occur in the Android network s/w and hence is a bug. All I would like is a solution to the problem, which is not changing my router firewall rules!

View more options
12 REPLIES 12
TJ
Administrator
Administrator

@tobiz I'm sorry to hear this is happening, I'll be more than happy to try and help. So we can do this, we'll just have to ask you a few extra questions.

- Does this happen when you're using your mobile data?

- What router are you using and who provides your internet service?

- Have you checked for any service updates on the phone or the router?

Let us know and we'll see if there's anything that we can advise.

View more options
tobiz
2: Seeker

Router is Draytek 2820

Phone service provider is Vodafone

Internet provider is Plus net

Problem happens all the time, stops if  set in airplane mode and Wi-Fi is on. Phone is up to date with updates. Phone has been factory reset to try and clear, no change. Problem has been reported by others, see Spiceworks. Only S7 causes the problem, not iPhone, not old Nokia, not old Dell mobile. Any more info you need? Pretty clear it's the S7 phone.

View more options
tobiz
2: Seeker

@tobizwrote:

Router is Draytek 2820

Phone service provider is Vodafone

Internet provider is Plus net

Problem happens all the time, stops if  set in airplane mode and Wi-Fi is on. Phone is up to date with updates. Phone has been factory reset to try and clear, no change. Problem has been reported by others, see Spiceworks. Only S7 causes the problem, not iPhone, not old Nokia, not old Dell mobile. Any more info you need? Pretty clear it's the S7 phone.

 

Correction. It still happens in airplane mode and wifi on. Trying wifi off and airplane mode on.

Msg from router when it happens is:

[DOS][Block][icmp_fragment][192.168.1.1->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=8, Code=0

 

View more options
tobiz
2: Seeker

@tobizwrote:

@tobizwrote:

Router is Draytek 2820

Phone service provider is Vodafone

Internet provider is Plus net

Problem happens all the time, stops if  set in airplane mode and Wi-Fi is on. Phone is up to date with updates. Phone has been factory reset to try and clear, no change. Problem has been reported by others, see Spiceworks. Only S7 causes the problem, not iPhone, not old Nokia, not old Dell mobile. Any more info you need? Pretty clear it's the S7 phone.

 

Correction. It still happens in airplane mode and wifi on. Trying wifi off and airplane mode on.

Msg from router when it happens is:

[DOS][Block][icmp_fragment][192.168.1.1->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=8, Code=0

 


 

View more options
hrym
17: Community Champion

This isn't a situation I'm familiar with but, coming from outside, two things occur to me:

1. Turning wifi off would break the connection to the router and that would surely stop it happening, whatever the cause?
2. Have you spoken to Draytek, who will be more familiar with the architecture/router firmware and be able to understand the cause?   They may, of course, simply pass the blame back to Android if they don't have a solution.

How likely are you to suffer a DoS attack, and do you need that protection?

Edited to add: thinking about this further, this may well be an Android rather than specifically an S7 issue.   The iPhone and old Nokia certainly aren't Android and I don't think the Dell ones were either (or were a much earlier version if they were).

It's also odd that the phone would be using both mobile data and wifi at the same time, effectively communicating by two separate paths.   What happens if you turn off mobile data and use only wifi?

 

View more options
tobiz
2: Seeker

@hrymwrote:

This isn't a situation I'm familiar with but, coming from outside, two things occur to me:

1. Turning wifi off would break the connection to the router and that would surely stop it happening, whatever the cause?
2. Have you spoken to Draytek, who will be more familiar with the architecture/router firmware and be able to understand the cause?   They may, of course, simply pass the blame back to Android if they don't have a solution.

How likely are you to suffer a DoS attack, and do you need that protection?

Edited to add: thinking about this further, this may well be an Android rather than specifically an S7 issue.   The iPhone and old Nokia certainly aren't Android and I don't think the Dell ones were either (or were a much earlier version if they were).

It's also odd that the phone would be using both mobile data and wifi at the same time, effectively communicating by two separate paths.   What happens if you turn off mobile data and use only wifi?

 


Thanks for getting back.  If I turn WiFi off the situation stops, ie phone in mobile mode only.  The Dell phone was Android, it didn't have the problem but was an old version of Android. Just as an aside, my old Samsung tablet, which runs an old version of Android (WiFi only, no mobile connection) doesn't do it but it will setup VPN connections, however, the new S7 won't set up VPN connections unless it is set  to not be in power saving mode. This suggests Android might sort of regress in some areas in later updates. But I digress. If you look at Spiceworks, you'll see this problem has been noted before, the explanation was as follows "This can happen , and may create spoof warnings. In a blending environment where your network is IPV4 and you have a phone with more than likely a IPV6 cellular connection. It constantly tries to send  keep alives via the IP4 interface, but shows a IPV4 return address. This happened to me with apple Tablets and airprint. If there is not a device with IPV6 enabled on the network it freaks out the firewall. Sonic Wall it flags as spoof. In your case it could be the cell phone trying to pool available wireless networks. " I sort of understand this, this could be the case; for some reason Android sends IPV4 keepalives over the Wifi connection when the mobile connection is IPV6. So when the WiFi is off the keepalives (which may still be IPV4) get sent on the mobile connection and not via my Draytek router. Even if this is the case why some Android network s/w is sending over WiFi fragmented ICMP packets is not only a mystery but WRONG! My only solution is to turn off  Draytek firewall logging.  This is curing the symptoms and not the problem; and yes it is useful to see DoS attacks, they happen more frequently than you might think and result in a temporary internet connection slow down (sort of what they are trying to achieve).

View more options
hrym
17: Community Champion

I'd still be interested to know what happens if you turn mobile data off and run on Wi-Fi only. My guess would be that it'll be fine because there's only one connection. Turning wifi off takes the router out of the equation, so I'm not surprised the problem goes away.

Broadband connections slow for all kinds of reasons, not least contention. I really doubt DoS unless you're running something that's worth interrupting for either political or commercial reasons.

View more options
tobiz
2: Seeker

@hrymwrote:

I'd still be interested to know what happens if you turn mobile data off and run on Wi-Fi only. My guess would be that it'll be fine because there's only one connection. Turning wifi off takes the router out of the equation, so I'm not surprised the problem goes away.

Broadband connections slow for all kinds of reasons, not least contention. I really doubt DoS unless you're running something that's worth interrupting for either political or commercial reasons.


What I've done is contact Draytek Support and they advised upgrading to their latest firmware for the 2820n, which I've done. I then turned the 2820n firewall logging on and the Samsung S7 on in Airplane mode (ie no mobile connection hence no mobile dta) but WiFi on, ie any network traffic from the S7 goes via the router. I checked the router DHCP table and 192.168.1.31 it says is the Samsung Galaxy S7 (which I've now bound), which incidentally, is what the S7 says itself (it also gives an IPV6 address of fe80:6d6:aaff:fe86:6a37). I set the router to DoS logging and all rules on. This was all set up at ~13:46. At 13:54 I get:

2018/03/07 13:52:34 -- [DOS][Block][icmp_fragment][192.168.1.31->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=8, Code=0]
2018/03/07 13:52:34 -- [DOS][Block][icmp_fragment][192.168.1.31->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=83, Code=84]

Which to my mind is pretty conclusive; 192.168.1.31 is the S7 and it is sending icmp_fragments directly to the router at 192.168.1.1.

There is either something seriously wrong with the Android 7.0 (kernel version 3.18.14-12365438) or there is something running on my phone causing this even though any s/w either came with the phone, was upgrade by a standard route or has been installed from Play Store.

The next msg from the firewall is at 14:00 (and again at 14:10) and is:

2018/03/07 13:54:47 -- [DOS][Block][icmp_fragment][192.168.1.31->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=8, Code=0]
2018/03/07 13:54:47 -- [DOS][Block][icmp_fragment][192.168.1.31->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=83, Code=84]

I strongly suspect if I turn the firewall rule for icmp fragments off I then get:

2018/03/07 09:18:00 -- [DOS][Block][ping_of_death][192.168.1.31->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=8, Code=0]
2018/03/07 09:18:00 -- [DOS][Block][ping_of_death][192.168.1.31->192.168.1.1][ICMP][HLen=20, TLen=1500, Type=83, Code=84]

Which seems to me to be much worse.  The evidence very convincingly points to the S7 at 192.168.1.31 doing something it really aught not to do (possibly at 10min intervals)!  This is not broadband contention this is a bug in Android 7.0 (or some other Android s/w/App which should not be doing what it's doing). The fragmented flag should not be set in packets when they're not and nothing should be sending "The ping of death" (ie too many pings too fast).

If there is any other info anyone wants to resolve this issue they only have to ask and I will do my best to supply it.

View more options
hrym
17: Community Champion

Ah, so it seems that this is purely a wifi issue, rather than something strange between mobile data and wifi.   I think your next port of call is Samsung, as they're responsible for the firmware.

When I referred to contention, btw, I was talking about reasons for the connection slowing, rather than anything to do with this particular issue.

It's possible that this is more widespread, but that most people aren't logging router activity and therefore don't notice it.

View more options
Uno28
4: Newbie

Have you got Wifi Calling enabled on your handset by any chance ? If you have try disabling that and then see if you are still seeing the same action.

View more options
tobiz
2: Seeker

@Uno28wrote:

Have you got Wifi Calling enabled on your handset by any chance ? If you have try disabling that and then see if you are still seeing the same action.


I only found out what WiFi calling was a few days ago; interesting, but no, I live in the middle of a town with good mobile coverage.  So the answer to "is WiFi calling" enabled, is - no.

Thanks for the idea.

View more options
tobiz
2: Seeker

@hrymwrote:

Ah, so it seems that this is purely a wifi issue, rather than something strange between mobile data and wifi.   I think your next port of call is Samsung, as they're responsible for the firmware.

When I referred to contention, btw, I was talking about reasons for the connection slowing, rather than anything to do with this particular issue.

It's possible that this is more widespread, but that most people aren't logging router activity and therefore don't notice it.

 


Yes I understood why you mentioned contention. My point as I suspect you guessed, is that if the router firewall is using a lot of its processor resource to block 'local' DoS attacks its throughput will go down which could look like broadband contention, but isn't. I suspect your last point is correct; my solution at the moment is to turn all firewall logging off (which I suspect is the case for most people), but that only cures the symptoms not the disease. I will follow it up with Samsung and Android. (I wonder if I can turn firewall logging off for one specific IP??)

View more options