Security Basics mailing list archives
Re: pings
From: Leif Ericksen <leife () dls net>
Date: Wed, 29 Dec 2004 08:17:41 -0600
In 1 day I have seen 288 different instances of blocked packets in my firewall on that same day I have seen 46 items in my IDS. Mostly the MSQL worm propagation. If I keep this thought that I get on average the same amount of "attacks" on a daily basis and use 100 days to keep the math simple I see that I have had 28800 firewall hits and 4600 IDS hits. Now, I have a DHCP network on a local ISP and I do not have a domain name registered.
Since 18th Feb. 2004, up until now, I've had 188000+ alerts. As it stands, 69% of these are ICMP packets. In the past, when I first installed snort on the firewall, most were TCP connects. Now the majority is ICMPs.
This gives you about 596 "attacks" a day. I have a friend that runs a personal network and website that gets attacks likes this as well I think his number is MUCH higher than this. consider the following: - if you have a registered domain name your "attacks" are going to rise. - If you have a static IP address your "attacks" are going to be increased even more. - If you are on a hostile network /cable modem/ or in Internet in general you are going to see more attacks. Question is the network of concern the one that you sent this message from? (DO NOT ANSWER THAT). :) A Jewellery site in Hong Kong. Are you going to have E-commerce available? IF so it sounds like the stakes are rising for having packet hits. was the IP address in question always yours or did somebody have it prior? Bottom like is your network sluggish because of this? Does your up-line provider use ping to see if your network is alive? Was somebody else setup on this IP that had a ping check to see if the system was alive? You are in the hundreds a day group for the ping... Do you see anything else more serious in your logs? Where are the packets originating from? -- Leif