Re: pings

[Leif Ericksen <leife () dls net>]

In 1 day I have seen 288 different instances of blocked packets in my
firewall on that same day I have seen 46 items in my IDS.  Mostly the
MSQL worm propagation.  If I keep this thought that I get on average the
same amount of "attacks" on a daily basis and use 100 days to keep the
math simple I see that I have had 28800 firewall hits and 4600 IDS
hits.  

Now, I have a DHCP network on a local ISP and I do not have a domain
name registered.

> Since 18th Feb. 2004, up until now, I've had 188000+ alerts.
> As it stands, 69% of these are ICMP packets.
>
> In the past, when I first installed snort on the firewall,
> most were TCP connects.  Now the majority is ICMPs.

This gives you about 596 "attacks" a day.  I have a friend that runs a
personal network and website that gets attacks likes this as well I
think his number is MUCH higher than this.
consider the following:
        - if you have a registered domain name your "attacks" are going
          to rise.
        - If you have a static IP address your "attacks" are going to 
          be increased even more.
        - If you are on a hostile network /cable modem/ or in Internet 
          in general you are going to see more attacks.
Question is the network of concern the one that you sent this message
from? (DO NOT ANSWER THAT).  :)  A Jewellery site in Hong Kong.  Are you
going to have E-commerce available?  IF so it sounds like the stakes are
rising for having packet hits.  was the IP address in question always
yours or did somebody have it prior?

Bottom like is your network sluggish because of this?  
Does your up-line provider use ping to see if your network is alive? 
Was somebody else setup on this IP that had a ping check to see if the
system was alive?
You are in the hundreds a day group for the ping...  Do you see anything
else more serious in your logs?
Where are the packets originating from?

--
Leif