For the past 3 or so months I’ve been noticing entries in Suricata that concern me. Maybe they are benign, but figured I’d throw this out there and see if anyone has/is experiencing this.

There is a pattern to these entries. All of them are listed as 'PROTOCOL-ICMP Destination Unreachable Network Unreachable'. But it’s like there is a cron that fires this off once every hour and 5 +/- minutes.

12/13/2025 16:55:02
12/13/2025 15:50:01
12/13/2025 14:45:01
12/13/2025 13:40:01
12/13/2025 12:35:01
12/13/2025 11:30:01
12/13/2025 10:25:02
12/13/2025 09:20:01
12/13/2025 08:15:01
12/13/2025 07:10:01

These ip ranges are usually from China, Romania, and Singapore. The biggest ‘offender’ being China:

203.119.27.1 was found in our database!
This IP was reported 11 times. Confidence of Abuse is 1%:
ISP 	China Internet Network Information Center
Usage Type 	Data Center/Web Hosting/Transit
ASN 	AS24406
Hostname(s) 	c.dns.cn
Domain Name 	cnnic.cn
Country 	🇨🇳 China
City 	Shanghai, Shanghai 

Thing is, these ip’s are usually what I consider ‘clean’. Not a lot of abuse reports. On the surface, I know what 'PROTOCOL-ICMP Destination Unreachable Network Unreachable' means. Pretty self explanatory. What I’m trying to figure out is the why part.

I have gone through my logs, monitored for any calls to these ip’s from inside the network, and I come up empty. Nothing within my network, whether server or other devices, is requesting data from these ip’s. I have no cron set to do such on a hour and 5 minute interval.

So I’m left wondering, is this normal network chatter? Perhaps scraping attempts? Or perhaps breach attempts. So, I sit at the feet of the network experts to be schooled and see if I have something misconfiguration, or if it’s nothing to be worried about, or what the devil is going on.

ETA: Suricata is running in conjunction with pFsense as part of a standalone firewall. ETA2: Also running the evil Cloudflare Tunnel/Zero Trust.