Snort mailing list archives
RE: ICMP Superscan Echo and Smurf
From: "Pacheco, Michael F." <MPacheco () elcom com>
Date: Wed, 11 Sep 2002 10:53:50 -0400
Thanks Ofir, The last bit of your reply is a know quantity - if the payload matches the rule its alerted - what I'm trying to understand is the pattern. A large burst of Superscan Echo's followed by Smurf from the same source. What information could you be looking to gather with the Superscan tool that could then be useful in further attacks - in this case a Smurf DDoS. The more I analyze this the more it does not make sense and I feel I'm missing something - hence the question to the snort board. Thanks for the info - any other comments from the board? Mike -----Original Message----- From: Ofir Arkin [mailto:ofir () sys-security com] Sent: Wednesday, September 11, 2002 4:50 AM To: 'Pacheco, Michael F.'; snort-users () lists sourceforge net Subject: RE: [Snort-users] ICMP Superscan Echo and Smurf Mike, Superscan is a tool which is available from Foundstone. It is not related in any way with DOS/DDOS. The Superscan rule is triggered whenever a payload of an ICMP Echo request match the one with the rule base. Yours, Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Pacheco, Michael F. Sent: 10 September 2002 13:09 To: 'snort-users () lists sourceforge net' Subject: [Snort-users] ICMP Superscan Echo and Smurf Hi All, I've been recieving a lot of ICMP traffic in the past 2 days from Europe - mainly Poland, France and Italy. Since its ICMP I don't trust the source but no the rate is accelerating and it tripped the Smurf rules in Snort - Usually a bunch of Superscan Echo's followed by a short burst of Smurf. I understand the process in Smurf DDoS - but am a little confused on ICMP Superscan Echo - Below is one captured alert. #(1 - 142355) [2002-09-10 05:52:21] ICMP superscan echo IPv4: 80.15.113.2 -> xx.xx.xx.254 hlen=5 TOS=0 dlen=36 ID=43420 flags=0 offset=0 TTL=107 chksum=27618 ICMP: type=Echo Request code=0 checksum=24412 id= seq= Payload: length = 8 000 : 00 00 00 00 00 00 00 00 ........ Basically just an oversized ICMP echo request. I've looked through CERT and find some general reading on ping floods and such, but nothing that specifically addresses Superscan Echo. I've blocked once, but the source moved so I know that there is somebody behind this one. Can anybody shed a little more light or point me in the right direction on ICMP Superscan Echo and how it ties into DDoS? Thanks Mike Pacheco P.S. - Sorry - forgot the specifics - Snort 1.8.6 on linux with Acid 09.6b21 -- (Anybody hear if Roman is going to be releasing b22 anytime soon?) ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Superscan Echo and Smurf Pacheco, Michael F. (Sep 10)
- RE: ICMP Superscan Echo and Smurf Ofir Arkin (Sep 11)
- <Possible follow-ups>
- RE: ICMP Superscan Echo and Smurf Hicks, John (Sep 10)
- RE: ICMP Superscan Echo and Smurf Pacheco, Michael F. (Sep 11)
- RE: ICMP Superscan Echo and Smurf Ofir Arkin (Sep 11)