Firewall Wizards mailing list archives

Re: New Script Kiddie tool ?

From: "H. Morrow Long" <morrow.long () yale edu>
Date: Fri, 23 Aug 2002 11:02:07 -0400


208.184.139.82 is 208.184.139.82.speedera.com
208.185.54.14 is 208.185.54.14.speedera.com

Speedera (www.speedera.com) is a streaming content delivery company.

I noticed that Snort added a new signature recently (in the last year)
called the 'speedera ping'.

It would appear that Speedera may be trying to gauge the QoS RTT between
one of their streaming servers and an endpoint by using the ICMP Echo
packets.

The Snort rule from the std snort db is:

icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; content: "|3839 3a3b 3c3d 3e3f|"; 
depth: 100; itype: 8;  sid:480;  classtype:misc-activity; rev:2;)

H. Morrow Long
University Information Security Officer
Yale University, ITS, Dir. InfoSec Office

Peter Robinson wrote:


G/Day all

Has any one seem this sort of probe ??

It apears from all over the place and it seems to be spaced exactly 10
seconds appart.

I am assuming this is a tool of sorts..

Source Address=208.184.139.82
        Aug 22 14:04:21 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:31 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:41 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:51 Firewall 208.184.139.82 61.x.x.x----UDP 53
        Aug 22 14:05:01 Firewall 208.184.139.82 61.x.x.x----UDP 53
        Aug 22 17:00:03 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:13 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:23 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:33 Firewall 208.184.139.82 61.x.x.x----UDP 53
        Aug 22 17:00:43 Firewall 208.184.139.82 61.x.x.x----UDP 53

Source Address=208.185.54.14
        Aug 22 14:04:21 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:52 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 14:05:02 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 15:53:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:52 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:02 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 15:54:12 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 17:00:02 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:12 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:22 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:32 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 17:00:42 Firewall 208.185.54.14 61.x.x.x----UDP 53

Source Address=208.225.197.194
        Aug 22 15:53:35 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:45 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:55 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:05 Firewall 208.225.197.194 61.x.x.x----UDP 53
        Aug 22 15:54:15 Firewall 208.225.197.194 61.x.x.x----UDP 53

Source Address=208.254.18.130
        Aug 22 15:53:31 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:41 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:51 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:02 Firewall 208.254.18.130 61.x.x.x----UDP 53
        Aug 22 15:54:11 Firewall 208.254.18.130 61.x.x.x----UDP 53

Source Address=208.254.75.130
        Aug 22 15:53:32 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:42 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:52 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:02 Firewall 208.254.75.130 61.x.x.x----UDP 53
        Aug 22 15:54:12 Firewall 208.254.75.130 61.x.x.x----UDP

Peter Robinson
Senior Security Engineer - Sydney
DeMorgan Information Security Specialists
robinson_p () demorgan com au, www.demorgan.com.au,
Tel.    1800 336 674
Tel.    +61 2 9929-0377
Fax     +61 2 9499 4885

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
  - Re: X11 forwarding David Lang (Aug 23)
  - Re: X11 forwarding Brian Hatch (Aug 23)
  - Re: X11 forwarding Kevin Steves (Aug 26)
    - Re: X11 forwarding Pierre Blanchet (Aug 27)
    - Re: X11 forwarding Kevin Steves (Aug 27)