Security Incidents mailing list archives
Ping flood IPs
From: Andre Kajita - Administrador da Rede <admin () CAMARASJC SP GOV BR>
Date: Wed, 29 Nov 2000 08:08:11 -0200
Greets, Thanks to the tip from Joe Stewart I resolved all the hostnames - something I don't normally do as a reverse lookup can reveal that someone is looking you up - and found a testshelf-2.atl.pnap.net, a few hosts from speedera.net/.com, one that gave host.domain.com and a few that resolved back to Teleglobe.net. Acording to the URL that Joe noted, http://www.sans.org/y2k/102500.htm, and his quote: "They're using coordinated pings from their nameservers to everyone else's nameservers to determine the best routes for their network, and triggering everyone's IDS in the process." I guess that's what I was hit by - the targed host is my main DNS server (my secondary was not hit, yet) and it all fits together nice and snug, false alarm I guess. I've attached the IPs (gzipped) that I was hit from if anyone wants to take a look, I didn't publish them in the first place to avoid revealing compromised machines but since that's apparently not the case - have fun! Andre. -- Andre Kajita - Administrador da Rede <admin () camarasjc sp gov br> Camara Municipal de Sao Jose dos Campos - SP http://www.camarasjc.sp.gov.br
Attachment:
pinged.txt.gz
Description:
Current thread:
- Ping flood IPs Andre Kajita - Administrador da Rede (Nov 30)