Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ping

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 03 Jun 2003 18:59:03 -0400
At 10:08 AM 6/3/2003 -0500, David Alonso De La Vega Tapage wrote:

This is a interesting situation for me ..
My snort box detect a constant icmp ping from small IP range .. have about 3 days detect it .. obviusly, this are droped in my firewall .. but the ping continue ....
I connect from a dial up conetion and scan ( with nessus and nmap ) the source IP and detect that al ports on this box are opend .. very interesant .. !
In this case what is you reaction .. or what is the reazon for this ping .. freeze my firewall .. ? 

Thanx in advance ..
Depends on the ping.. and where the source IPs are. Do a reverse DNS or an ARIN ipwhois query to see where this source really is. That's usually my first step. 9 times of 10 it's the DNS server for a website someone was visiting.
One of the things you need to realize up front is that pings are NORMAL. They usually do not indicate an attack, although they MIGHT indicate someone doing a little bit of recon to see what IPs have machines on them. You'd really have to study the pattern of pings and correlate them to something more insidious before deciding that they are part of recon.
Pings are also sometimes used by backdoor programs as a communication channel. These tend to be pretty obvious by the packet contents. Most "normal" pings are a fairly obvious simple pattern like counting (01 02 03..) all 00's, all FF's, and the like, although there is one common "normal" ping which contains an image of the Microsoft logo in it (it's got a jiff or bmp header in it, it's pretty obvious if you read the ascii part of the packet dump.)
As some examples of real-world things that use ping, and are using them to optimize network performance:
1) speedera type "fastest path" distributed DNS systems will send pings to your DNS servers anytime you try to resolve the domain for someone using it (ie: windowsupdate does this). Those will appear to come from a small range of IPs and are hardly a cause for alarm.
2) Some systems use pings for path MTU discovery.. I think AIX does this, among others.
Certainly nobody besides an idiot would expect a few pings to freeze your firewall, unless you're running some kind of ancient pile of garbage that is vulnerable to one of the "Ping Of Death" variants.. but you'd have to be running something that hasn't been updated since 1996 for that.
Ping of death, land, winnuke, etc are all outdated attacks that rarely work on anything so you generally don't see people try them unless it's part of a comprehensive vulnerability test that you hired someone to do. Even the lamest skript kiddies no longer use these as a matter of course. DDoS, synfloods, buffer overflows against SQL, HTTP, SMTP or DNS servers, and open proxy abuse are all much more common these days. 




-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: