Security Basics mailing list archives

RE: IP flood?

From: "Wright, Jeremy" <wright () admworld com>
Date: Wed, 17 Sep 2003 16:23:44 -0500
Possibly there are other devices within the ISP's IP range that have Welchia...

-----Original Message-----
From: Eric Brown [mailto:ericbrow () ziplip com]
Sent: Wednesday, September 17, 2003 11:01 AM
To: security-basics () securityfocus com
Subject: IP flood?


Hello all,

I've been watching the list for quite a while now, and I've run across a problem where I can't find a solution.

My neighbor got cable internet a few months ago.  He's got a Win98 machine that's running the latest version of Zone 
Alarm.

Two weeks ago, he started getting pings that appeared to be from many different IP's, all within the cable ISP's IP 
range.  He likes to see any kind of hits he gets, so he has Zone Alarm set to pop up a window each time.  The pings are 
not steady.  He might get one in a 10 second window, then a dozen in the next second.

He call tech support, and they changed his dynamic IP to a different one, and this stopped the activity for about an 
hour.  I uninstalled an older version of Zone Alarm, and installed the newest one, and the activity stopped for about 2 
hours.  His Norton's anti-virus is fully updated.  I've run NMap and LANguard network scanner.  With zone alarm on, he 
doesn't show up.  Without zone alarm, no ports other than what you would expect on a Win98 machine (no 31337).  I ran 
grc.com's Shields Up and got nothing.

Can we stop the IP flood?  Can or should the ISP?  Or should he just shut off notification in Zone Alarm so he doesn't 
see the messages.  

Thanks,
Eric Brown


To do is to be.  -Socrates
To be is to do.  -Satre
Do be do be do.  -Sinatra

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: 
        This message is intended for the use of the individual or entity to which it is addressed and may contain 
information that is privileged, confidential and exempt from disclosure under applicable law.  If the reader of this 
message is not the intended recipient or the employee or agent responsible for delivering this message to the intended 
recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly 
prohibited.
        If you have received this communication in error, please notify us immediately by email reply or by telephone 
and immediately delete this message and any attachments.  In the U.S. call us toll free at (800) 637-5843.
        Spanish, French, Quebecois French, Portuguese, Polish, German, Dutch, Turkish, Russian, Japanese and Chinese:  
http://www.admworld.com/confidentiality.htm.



---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
Current thread:

IP flood? Eric Brown (Sep 17)
- Re: IP flood? Brad Arlt (Sep 17)
- Re: IP flood? Pat Moffitt (Sep 17)
- <Possible follow-ups>
- RE: IP flood? Wright, Jeremy (Sep 17)
- RE: IP flood? Chris Merkel (Sep 17)