Security Incidents mailing list archives
Re: Ping flood? Whats the point?
From: ryans () PNX COM (Ryan Sweat)
Date: Wed, 2 Feb 2000 17:05:17 -0600
looks to me as if this was a smurf attack... or some other DoS ie. TFN. if many echo replies come at the same time from different source addresses, it is probably smurf. about the only thing to do is to find the owner of each network and get them to put filters in their router so they cannot be used as an amplifier. bats Bill Pennington wrote:
A few moments ago my firewall logs started filling up with messages below. Basiclly ICMP Echos for all over the place. I have not had a lot of time to research but it seems like a fairly random IP address distribution and the few that I looked up seemed to originate from .kr and .ar should I assume that all these boxes have been comprimised? Should I attempt to contact all the owners? What is the attacker trying to accomplish? Below is a small portion of the log file. TIA Feb 1 13:52:21 Deny inbound icmp src outside:193.65.199.3 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:193.71.17.3 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21Deny inbound icmp src outside:194.90.246.171 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:196.7.87.3 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:212.36.169.97 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:216.52.142.3 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:212.78.162.3 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:216.52.58.2 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:195.8.99.162 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:140.239.162.2 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21Deny inbound icmp src outside:212.35.98.3 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21 Deny inbound icmp src outside:216.52.239.2 dst <>:rcgw (type 8, code 0) Feb 1 13:52:21Deny inbound icmp src outside:212.121.130.40 dst <>:rcgw (type 8, code 0) -- Bill Pennington IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
-- ----------------------------------------------------------------- The opinions expressed here aren't even mine... To err is human...to really foul up requires the root password. -----------------------------------------------------------------
Current thread:
- Ping flood? Whats the point? Bill Pennington (Feb 01)
- Re: Ping flood? Whats the point? Ryan Sweat (Feb 02)
- <Possible follow-ups>
- Re: Ping flood? Whats the point? Don (Feb 02)
- tracing spoofing (Was Re: Ping flood? Whats the point?) Dragos Ruiu (Feb 03)
- Re: Ping flood? Whats the point? Andy David (Feb 03)
- Re: Ping flood? Whats the point? Bill Pennington (Feb 05)
- Re: Ping flood? Whats the point? Russell Fulton (Feb 06)
- Re: Ping flood? Whats the point? Chuck Phillips (Feb 05)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 07)
- Re: Ping flood? Whats the point? Filip M. Gieszczykiewicz (Feb 08)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 08)
- Re: Ping flood? Whats the point? Russell Fulton (Feb 09)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 07)