Firewall Wizards mailing list archives

Re: New Script Kiddie tool ?

From: Jim MacLeod <jmacleod () hotpop com>
Date: Fri, 23 Aug 2002 09:02:01 -0700

Hello Peter,

ICMP type 8 is ping.
UDP 53 is DNS.

If it is a tool, there's nothing very exciting about it. 3 pings followedby 2 DNS, repeat.

It'd be interesting to get a capture of the traffic to see whether it'squeries or replies.

If the 61 addresses are all the same, this is most likely someone trying toDoS that device, possibly doing a modified smurf/DDoS to try to suck upyour bandwidth. There's a detailed write-up of this sort of attack athttp://www.grc.com under "Direct Reflected DoS".

Are you sure it's not more frequent, and your log source (firewall?) isonly reporting it every 10 seconds?


Regards,
-Jim MacLeod

At 04:00 PM 8/22/2002, Peter Robinson wrote:

G/Day all

Has any one seem this sort of probe ??

It apears from all over the place and it seems to be spaced exactly 10
seconds appart.

I am assuming this is a tool of sorts..


Source Address=208.184.139.82
        Aug 22 14:04:21 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:31 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:41 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:51 Firewall 208.184.139.82 61.x.x.x----UDP 53
        Aug 22 14:05:01 Firewall 208.184.139.82 61.x.x.x----UDP 53
        Aug 22 17:00:03 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:13 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:23 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:33 Firewall 208.184.139.82 61.x.x.x----UDP 53
        Aug 22 17:00:43 Firewall 208.184.139.82 61.x.x.x----UDP 53

Source Address=208.185.54.14
        Aug 22 14:04:21 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 14:04:52 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 14:05:02 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 15:53:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:52 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:02 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 15:54:12 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 17:00:02 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:12 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:22 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
        Aug 22 17:00:32 Firewall 208.185.54.14 61.x.x.x----UDP 53
        Aug 22 17:00:42 Firewall 208.185.54.14 61.x.x.x----UDP 53

Source Address=208.225.197.194
        Aug 22 15:53:35 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:45 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:55 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:05 Firewall 208.225.197.194 61.x.x.x----UDP 53
        Aug 22 15:54:15 Firewall 208.225.197.194 61.x.x.x----UDP 53

Source Address=208.254.18.130
        Aug 22 15:53:31 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:41 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:51 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:02 Firewall 208.254.18.130 61.x.x.x----UDP 53
        Aug 22 15:54:11 Firewall 208.254.18.130 61.x.x.x----UDP 53

Source Address=208.254.75.130
        Aug 22 15:53:32 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:42 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:53:52 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
        Aug 22 15:54:02 Firewall 208.254.75.130 61.x.x.x----UDP 53
        Aug 22 15:54:12 Firewall 208.254.75.130 61.x.x.x----UDP

Peter Robinson
Senior Security Engineer - Sydney
DeMorgan Information Security Specialists
robinson_p () demorgan com au, www.demorgan.com.au,
Tel.    1800 336 674
Tel.    +61 2 9929-0377
Fax     +61 2 9499 4885


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
  - Re: X11 forwarding David Lang (Aug 23)
  - Re: X11 forwarding Brian Hatch (Aug 23)
  - Re: X11 forwarding Kevin Steves (Aug 26)
    - Re: X11 forwarding Pierre Blanchet (Aug 27)
    - Re: X11 forwarding Kevin Steves (Aug 27)