Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP Superscan Echo and Smurf

From: "Pacheco, Michael F." <MPacheco () elcom com>
Date: Wed, 11 Sep 2002 10:53:50 -0400
Thanks Ofir,

The last bit of your reply is a know quantity - if the payload matches the
rule its alerted - what I'm trying to understand is the pattern.  A large
burst of Superscan Echo's followed by Smurf from the same source. What
information could you be looking to gather with the Superscan tool that
could then be useful in further attacks - in this case a Smurf DDoS. The
more I analyze this the more it does not make sense and I feel I'm missing
something - hence the question to the snort board.

Thanks for the info - any other comments from the board?

Mike

-----Original Message-----
From: Ofir Arkin [mailto:ofir () sys-security com]
Sent: Wednesday, September 11, 2002 4:50 AM
To: 'Pacheco, Michael F.'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] ICMP Superscan Echo and Smurf


Mike,

Superscan is a tool which is available from Foundstone. 

It is not related in any way with DOS/DDOS.

The Superscan rule is triggered whenever a payload of an ICMP Echo
request match the one with the rule base.

Yours,
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Pacheco,
Michael F.
Sent: 10 September 2002 13:09
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] ICMP Superscan Echo and Smurf

Hi All,

I've been recieving a lot of ICMP traffic in the past 2 days from Europe
-
mainly Poland, France and Italy.  Since its ICMP I don't trust the
source
but no the rate is accelerating and it tripped the Smurf rules in Snort
-
Usually a bunch of Superscan Echo's followed by a short burst of Smurf.
I
understand the process in Smurf DDoS - but am a little confused on ICMP
Superscan Echo - Below is one captured alert.

#(1 - 142355) [2002-09-10 05:52:21]  ICMP superscan echo
IPv4: 80.15.113.2 -> xx.xx.xx.254
      hlen=5 TOS=0 dlen=36 ID=43420 flags=0 offset=0 TTL=107
chksum=27618
ICMP: type=Echo Request code=0
      checksum=24412 id= seq=
Payload:  length = 8

000 : 00 00 00 00 00 00 00 00                           ........

Basically just an oversized ICMP echo request.  I've looked through CERT
and
find some general reading on ping floods and such, but nothing that
specifically addresses Superscan Echo. I've blocked once, but the source
moved so I know that there is somebody behind this one.  Can anybody
shed a
little more light or point me in the right direction on ICMP Superscan
Echo
and how it ties into DDoS?

Thanks

Mike Pacheco

P.S. - Sorry - forgot the specifics - Snort 1.8.6 on linux with Acid
09.6b21
-- (Anybody hear if Roman is going to be releasing b22 anytime soon?)


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
In remembrance
www.osdn.com/911/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: