Security Incidents mailing list archives
Re: ICMP attack in progress?
From: cjc () SCITEC COM (Crist J. Clark)
Date: Thu, 25 May 2000 23:47:38 -0400
On Thu, May 25, 2000 at 12:37:08PM -0500, Lic. Rodolfo Gonzalez Gonzalez wrote: [snip]
And soon, over and over, and also comming from these adrresses (spooffed?): Chain input (policy ACCEPT): target prot opt source destination ports DENY all ----l- 212.41.223.98 anywhere n/a
An address from this block tried to scan our network configuration yesterday, May 24 10:47:21 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc8.8:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:21 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc8.63:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:21 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc8.64:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.8:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.63:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.64:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.128:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.191:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.192:0 L=32 S=0x00 I=237 F=0x0000 T=239 May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.254:0 L=32 S=0x00 I=237 F=0x0000 T=239 [snip]
And in general from the 151.27.xxx.xxx and 212.xxx.xxx.xxx nets. Any comments?.
I've seen alot of pings from 212/8 this week, 1 212.209.6.8 -> aaa.bbb.cc9.129 1 212.123.8.49 -> aaa.bbb.cc9.129 1 212.41.223.9 -> aaa.bbb.cc8.63 1 212.41.223.9 -> aaa.bbb.cc8.64 1 212.41.223.9 -> aaa.bbb.cc8.8 1 212.41.223.9 -> aaa.bbb.cc9.128 1 212.41.223.9 -> aaa.bbb.cc9.191 1 212.41.223.9 -> aaa.bbb.cc9.192 1 212.41.223.9 -> aaa.bbb.cc9.254 1 212.41.223.9 -> aaa.bbb.cc9.63 1 212.41.223.9 -> aaa.bbb.cc9.64 1 212.41.223.9 -> aaa.bbb.cc9.8 1 212.54.68.72 -> aaa.bbb.cc9.129 1 212.63.29.75 -> aaa.bbb.cc9.129 1 212.105.5.185 -> aaa.bbb.cc9.129 1 212.120.200.4 -> aaa.bbb.cc9.129 1 212.120.68.80 -> aaa.bbb.cc9.129 1 212.64.56.207 -> aaa.bbb.cc9.129 1 212.95.72.236 -> aaa.bbb.cc9.129 1 212.95.75.184 -> aaa.bbb.cc9.129 1 212.123.10.214 -> aaa.bbb.cc9.129 1 212.133.25.139 -> aaa.bbb.cc9.2 2 212.134.26.248 -> aaa.bbb.cc9.129 1 212.139.15.166 -> aaa.bbb.cc9.129 1 212.140.80.242 -> aaa.bbb.cc9.129 1 212.141.111.83 -> aaa.bbb.cc9.129 1 212.141.93.249 -> aaa.bbb.cc9.129 2 212.171.200.96 -> aaa.bbb.cc9.129 1 212.186.24.213 -> aaa.bbb.cc9.129 1 212.189.164.80 -> aaa.bbb.cc9.129 1 212.205.230.19 -> aaa.bbb.cc9.129 1 212.49.228.111 -> aaa.bbb.cc9.129 1 212.59.192.207 -> aaa.bbb.cc9.129 1 212.67.152.195 -> aaa.bbb.cc9.129 1 212.183.125.174 -> aaa.bbb.cc9.129 None from the other net you mention. -- Crist J. Clark cjc () scitec com SciTec, Inc (609)921-3892 x252
Current thread:
- Spoofed ICMP "destination unreachable" - DOS? Ken Eichman (May 22)
- Microsoft version.binding us now? Bill Marquette (May 26)
- New DoS attack Jeff Calvert (May 28)
- Re: Microsoft version.binding us now? Erich Meier (May 29)
- Re: Spoofed ICMP Richard Bejtlich (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Steve Reid (May 27)
- <Possible follow-ups>
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- Re: Attacks on port 25 RayW (May 29)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- invalid icmp in linux? Eric LeBlanc (May 27)
- Re: invalid icmp in linux? Jose Nazario (May 28)
- Microsoft version.binding us now? Bill Marquette (May 26)