Every second I am receiving a ping request from 195.182.176.193

The address resolves to an ntl address, which appears to be part of the ntl core at Hersham (as opposed to a customer address).

This has been going on from several weeks.
Any idea what it is, and why it is pinging away so merrily.

Also, less often I get a series of pings from 172.22.12.222. As this is RFC1918 non-routable address space, I assume this must also be coming from ntl infrastructure.

Any ideas? Anyone else getting similar?

Not a major problem, but cluttering up my log files!

This is a ping from the DHCP. The DHCPs ping the modems every so often to check if the modems are online so that the ip addresses are renewed when needed.

It shouldn't do it every second though, should it?

It shouldn't do it every second though, should it?

I wouldn't have thought so. Also, I doubt the DHCP servers, would be able to cope with performing PING's every minute or so... IMHO.. :erm:

There is no set time on how often they ping the modems but this does happen.
do you get an alert when it does this?

not an alert as such.... I'm use proper cisco pix firewalls so it gets trapped and logged by the pix.

It's only been in the past few weeks that it's started happening with such vigour (i.e. every second) .... it no doubt did it before that occassionally, but to be honest with all the other noise hitting the firewall I wouldn't have noticed it

If this is the DHCP server, I'm not sure what it is hoping to achieve by pinging, as I'm sure I'm not the only person on the network who has configured their firewall to silently drop ping requests.

You're causing the issue yourself by blocking ICMP on the WAN port

External ICMP requests should NOT be blocked by your router as this can affect the speed and other factors of your connection

see robin walkers cm page for more info on this

http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#stealth

I'm sure Robin's advise is well intended, but this goes against all common security best practice.

Robin's bold statements about there being no risks in having echo-reply enabled are simply wrong.

Sans institute (http://www.sans.org/) are a slightly more authoritive source on security best practice, and they recommend despite the legitimate uses of ping, it's best blocked - similarly every Verisign firewall that I've had installed block it.

http://www.sans.org/resources/idfaq/icmp_misuse.php

I would have thought knowing ntl's customer base are either going to be using Windows XP, Vista, or a cheaper router, almost all of which block echo requests on the WAN, it would be a flawed design decision to require icmp in the network design