[New WTFBin]: pia-daemon (Private Internet Access) ICMP Flood

[Nynxz]

• Contributor Name: Henry Lee @nynxz
• Application/Executable: pia-daemon https://github.com/pia-foss/desktop https://github.com/pia-foss/desktop/tree/master/daemon/src
• WTF Behavior Description: pia-daemon emits 'ICMP Flood' behavior every minute. This is a 'latency check' which is used for server selection. This occurs when PIA is installed & disconnected. The GUI/frontend is not required to be running, only the pia-daemon.

Unifi IPS detects some IPs from this latency check as IPS Alert 2: Misc Attack. Signature ET CINS Active Threat Intelligence Poor Reputation IP group 46. From: <source ip>:0, to: <dest ip>:0, protocol: ICMP

• Link to Documentation of Behavior: https://github.com/pia-foss/desktop/blob/master/daemon/src/latencytracker.cpp#L64-L101 https://github.com/pia-foss/desktop/blob/master/daemon/src/latencytracker.cpp#L34

• Please provide any images for additional evidence.

---

Ran into this myself. Stumbled upon an answer once narrowing down a possible cause. https://www.reddit.com/r/PrivateInternetAccess/comments/lzgoe8/icmp_flood_when_pia_installed/

• Credits to rust_guy5 - https://www.reddit.com/r/PrivateInternetAccess/comments/lzgoe8/comment/gq2b90b/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button