Snort mailing list archives
Re: Ping
From: David Alonso De La Vega Tapage <delavegad () bancoaliado com>
Date: Wed, 04 Jun 2003 09:28:09 -0500
Hello Matt and thanx for your answers .. Matt Kettler wrote:
Depends on the ping.. and where the source IPs are. Do a reverse DNS or an ARIN ipwhois query to see where this source really is. That's usually my first step. 9 times of 10 it's the DNS server for a website someone was visiting.
I do that .. and in this case the source IP = 216.52.161.67 ( and .68 and .69 ) can't indentify as website ..
One of the things you need to realize up front is that pings are NORMAL. They usually do not indicate an attack, although they MIGHT indicate someone doing a little bit of recon to see what IPs have machines on them. You'd really have to study the pattern of pings and correlate them to something more insidious before deciding that they are part of recon.
well in the first time I thing .. well someone do a global or general scan .. the ping that registter snort are normal .. but from a Linux Box .. but the ping continued ... now 4 days, of continuos ping. That the mean, what is the reazon .. ?
Pings are also sometimes used by backdoor programs as a communication channel. These tend to be pretty obvious by the packet contents. Most "normal" pings are a fairly obvious simple pattern like counting (01 02 03..) all 00's, all FF's, and the like, although there is one common "normal" ping which contains an image of the Microsoft logo in it (it's got a jiff or bmp header in it, it's pretty obvious if you read the ascii part of the packet dump.)
well I'm not sure but in payload part have this .. length = 56 000 = 5A BB DD 3E 50 99 07 00 .... 010 = 00 00 00 00 02 00 00 00 ... 020 = 00 00 00 00 08 D6 FF BF .... 030 = C0 D6 FF BF B0 E9 5E 08 The site is .. performance-cw.mia.pnap.net ver hdrlen tos length id flags offset ttl4 5 0 84 0 0 0 50
As some examples of real-world things that use ping, and are using them to optimize network performance:1) speedera type "fastest path" distributed DNS systems will send pings to your DNS servers anytime you try to resolve the domain for someone using it (ie: windowsupdate does this). Those will appear to come from a small range of IPs and are hardly a cause for alarm.
certanly .. but isn't the case ..
2) Some systems use pings for path MTU discovery.. I think AIX does this, among others.Certainly nobody besides an idiot would expect a few pings to freeze your firewall, unless you're running some kind of ancient pile of garbage that is vulnerable to one of the "Ping Of Death" variants.. but you'd have to be running something that hasn't been updated since 1996 for that.Ping of death, land, winnuke, etc are all outdated attacks that rarely work on anything so you generally don't see people try them unless it's part of a comprehensive vulnerability test that you hired someone to do.
This is my fellĂng .. if have a ping ok .. is normal .. but few days of constant ping, with some hour intervals are very extrange for me ..
Even the lamest skript kiddies no longer use these as a matter of course. DDoS, synfloods, buffer overflows against SQL, HTTP, SMTP or DNS servers, and open proxy abuse are all much more common these days.
I'm totaly agree with you .. and thanx for you time .. !
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users