Security Incidents mailing list archives

Re: Quova.net

From: fboliva () SAFENETWORKS COM (Fabio Bastiglia Oliva)
Date: Tue, 20 Jun 2000 15:53:55 -0300


Hi,

        Sorry about my bad english!

        One of our customers is really angry with the ICMP packets
coming from quova.net. He asked us to permanently block the connections
from quova.net.

        We have a lot of *HUGE* log files with lots of entries like
these (We're using snort):

------------------------
[**] IDS118 - MISC-Traceroute ICMP [**]
06/19-19:59:49.945603 64.41.164.54 -> XXX.XXX.XXX.XXX
ICMP TTL:1 TOS:0x0 ID:60148
ID:51501   Seq:256  ECHO

[**] IDS246 - MISC - Large ICMP Packet [**]
06/19-19:59:49.946052 64.41.164.54 -> XXX.XXX.XXX.XXX
ICMP TTL:20 TOS:0x0 ID:60142
ID:50477   Seq:256  ECHO
------------------------

        Also... we have some Megabytes of firewall logs about the same
problem...

Best Regards
_________________________________
Fabio Bastiglia Oliva - Director
fboliva () safenetworks com

Safe Networks Informatica LTDA.
http://www.safenetworks.com

<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature
</UL>

Current thread:

"Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 17)
- Re: Quova.net M J (Jun 20)
  - Re: Quova.net Fabio Bastiglia Oliva (Jun 20)
    - Re: Quova.net Brett Glass (Jun 20)
    - Hacked by the script kiddie - an ordinary netadmin's day Jakub Urbanec (Jun 21)
    - SV: Hacked by the script kiddie - an ordinary netadmin's day Kim C. Saxvik (Jun 23)
    - Addendum: scanned - strange! Sir Scriptzalot (Jun 21)
  - Re: Quova.net Valdis Kletnieks (Jun 20)
- <Possible follow-ups>
- Re: "Quova.net" (Exodus downstream customer) Rune Kristian Viken (Jun 20)
  - Re: "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 22)
    - Re: "Quova.net" (Exodus downstream customer) Cold Fire (Jun 23)
    - Interesting research paper Alfred Huger (Jun 25)
    - DOS attack Bogdan Catalin Donici (Jun 26)

(Thread continues...)