Security Incidents mailing list archives

Strange ping reply packets

From: Artur.Nowak-sec-incidents () WODIP OPOLE PL (Artur Nowak)
Date: Tue, 8 Feb 2000 17:06:02 +0100


Hi all,

today I have two strange floods of pnig reply packets. I am not sure if
it's a smurf attack or something. It looks the source ip addresses are
random generated so I don't know if it's possible to find real source of
attack.
If anybody have some ideas how to find source address I will be grateful
for help.

BTW: What is usually listening on port 6700/tcp?
Feb  8 10:19:56 TCP: port 6700 connection attempt from 208.184.216.206:1526

PS. Sorry for a bit long logs.

Feb  8 10:24:25 ICMP: echo reply from 209.180.64.82 (8 bytes)
Feb  8 10:24:25 ICMP: echo reply from 149.159.75.47 (8 bytes)
Feb  8 10:24:25 ICMP: echo reply from 212.151.36.6 (8 bytes)
Feb  8 10:24:25 ICMP: echo reply from 128.255.178.104 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 204.210.11.15 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 161.112.116.112 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 149.159.94.109 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 24.25.65.32 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 204.101.60.77 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 128.210.131.189 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 129.82.96.191 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 198.68.218.53 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 194.47.110.90 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 209.166.140.96 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 212.204.129.15 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 216.63.188.108 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 24.67.11.14 (8 bytes)
Feb  8 10:24:26 ICMP: echo reply from 206.243.152.214 (8 bytes)
Feb  8 10:24:27 ICMP: echo reply from 24.11.152.7 (8 bytes)
Feb  8 10:24:27 ICMP: echo reply from 144.126.186.243 (8 bytes)
Feb  8 10:24:27 ICMP: echo reply from 149.159.36.200 (8 bytes)
Feb  8 10:24:28 ICMP: echo reply from 203.134.57.37 (8 bytes)
Feb  8 10:24:29 ICMP: echo reply from 169.233.40.53 (8 bytes)
Feb  8 10:30:34 ICMP: echo reply from 208.20.66.75 (8 bytes)
Feb  8 10:30:34 ICMP: echo reply from 216.209.208.68 (8 bytes)
Feb  8 10:30:35 ICMP: echo reply from 24.200.85.233 (8 bytes)
Feb  8 10:30:35 ICMP: echo reply from 134.173.164.10 (8 bytes)
Feb  8 10:30:35 ICMP: echo reply from 24.17.32.34 (8 bytes)
Feb  8 10:30:35 ICMP: echo reply from 63.28.12.139 (8 bytes)
Feb  8 10:30:36 ICMP: echo reply from 212.151.36.6 (8 bytes)
Feb  8 10:30:36 ICMP: echo reply from 192.200.134.111 (8 bytes)
Feb  8 10:30:36 ICMP: echo reply from 131.118.92.173 (8 bytes)
Feb  8 10:30:36 ICMP: echo reply from 209.149.49.86 (8 bytes)
Feb  8 10:30:36 ICMP: echo reply from 216.209.157.141 (8 bytes)
Feb  8 10:30:37 ICMP: echo reply from 209.198.205.94 (8 bytes)
Feb  8 10:30:37 ICMP: echo reply from 216.122.92.141 (8 bytes)
Feb  8 10:30:37 ICMP: echo reply from 155.198.180.220 (8 bytes)
Feb  8 10:30:37 ICMP: echo reply from 128.210.131.189 (8 bytes)
Feb  8 10:30:37 ICMP: echo reply from 148.233.90.163 (8 bytes)
Feb  8 10:30:37 ICMP: echo reply from 203.134.57.37 (8 bytes)
Feb  8 10:30:37 ICMP: echo reply from 24.6.159.124 (8 bytes)
Feb  8 10:30:38 ICMP: echo reply from 129.82.96.191 (8 bytes)
Feb  8 10:30:38 ICMP: echo reply from 24.7.220.199 (8 bytes)
Feb  8 10:30:38 ICMP: echo reply from 151.21.153.30 (8 bytes)
Feb  8 10:30:39 ICMP: echo reply from 209.166.140.96 (8 bytes)
Feb  8 10:30:40 ICMP: echo reply from 24.26.67.8 (8 bytes)
Feb  8 10:30:40 ICMP: echo reply from 213.46.17.189 (8 bytes)
Feb  8 10:30:41 ICMP: echo reply from 62.20.249.113 (8 bytes)
Feb  8 10:30:43 ICMP: echo reply from 4.54.85.92 (8 bytes)

--
 Artur Nowak       ==> mail anowak-pgp () wodip opole pl for PGP pub_key
  e-mail : anowak () wodip opole pl       || anowak () polo po opole pl
  www    : www.wodip.opole.pl/~anowak/ || polo.po.opole.pl/~anowak/
 PGP: 0x7BCE3064 | CF14 7AF4 2A1B 485E B0B5 1261 F7A1 26D5 7BCE 3064

Current thread:

Strange traceroute RB (Feb 02)
- Re: Strange traceroute Bruce A. Mah (Feb 03)
- Re: Strange traceroute Alexandr Kovalenko (Feb 03)
- Re: Strange traceroute Mixter (Feb 08)
- <Possible follow-ups>
- Re: Strange traceroute Jacobs, Guy Edward (Feb 03)
- Re: Strange traceroute RB (Feb 03)
  - Re: Strange traceroute CyberPsychotic (Feb 05)
    - Re: Strange traceroute Dragos Ruiu (Feb 07)
    - Private networks and home.{net|com} Etaoin Shrdlu (Feb 07)
    - Strange ping reply packets Artur Nowak (Feb 08)
    - Re: Private networks and home.{net|com} Bruce A. Mah (Feb 08)
    - Re: Private networks and home.{net|com} Dragos Ruiu (Feb 09)
    - E-Mail relay or break in? Seth Georgion (Feb 08)
    - Re: E-Mail relay or break in? JJ Gray (Feb 09)
    - Re: E-Mail relay or break in? Graeme (Feb 09)
    - Re: E-Mail relay or break in? Nathan Nichols (Feb 09)
    - Re: E-Mail relay or break in? Ryan Russell (Feb 09)
    - Recent DDoS Bino Gopal (Feb 08)
    - Re: Recent DDoS Qmail Admin (Feb 09)
    - Port 34545 jimwebb () EASYSTREET COM (Feb 09)

(Thread continues...)