Security Incidents mailing list archives
Re: Ping flood?
From: Joe Stewart <jstewart () LURHQ COM>
Date: Mon, 27 Nov 2000 20:44:07 -0500
On Thu, 23 Nov 2000 17:18:58 -0200, admin () CAMARASJC SP GOV BR wrote:
I was hit, at 09:37:36 -> 09:37:42 (-2 GMT) by 83 pings originating from the 83 unique hosts (mail me for a complete list of hosts if you want it) directed towards a single host. Snort picked them up as *NIX Type pings. I guess they were probably spoofed hosts due to the fact that they all hit within a 7 second window. The intresting things about the flood of pings was that all the TTLs were in the high 40s and low 50s (not that it means anything, it's just something I noticed). Has anyone been hit by anything like this in the past few days?
These are probably coming from Internap/pnap.net The host being pinged is your DNS server, right? They're using coordinated pings from their nameservers to everyone else's nameservers to determine the best routes for their network, and triggering everyone's IDS in the process. See http://www.sans.org/y2k/102500.htm -Joe -- Joe Stewart Information Security Analyst LURHQ Corporation ==========================> 843-347-1075 ext. 303 jstewart () lurhq com
Current thread:
- Ping flood? Andre Kajita - Administrador da Rede (Nov 28)
- <Possible follow-ups>
- Re: Ping flood? Sue D. Nym (Nov 29)
- Re: Ping flood? Joe Stewart (Nov 29)