Security Incidents mailing list archives
Re: 8 hours of pinging
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 21 Mar 2000 16:02:58 -0800
Was the machine itself pinged? I.e. was it an ICMP Echo Request (type=8) sent to the exact IP address (e.g. 192.0.2.168)? Or was it sent a broadcast ping, e.g. an IP address of 192.0.2.255 or 192.0.2.0. Or was it a ping response, i.e. ICMP Echo Reply (type=0)? The rate of firings is actually consistent with a smurf attack from a modem user. It is also consistent with your ISP doing rate filtering of ICMP packets, and the machine being the attempted victim of a ping attack (e.g. the echok.c script spoofs pings). A packet capture with TCPDUMP or a sniffer would help track this down. (Of course, some IDSs not to be named will also take packet captures and may identify the exact signature :-) I would of course love to see the packets themselves. Robert Graham -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Jim Lindstrom Sent: Monday, March 20, 2000 7:21 AM To: INCIDENTS () securityfocus com Subject: 8 hours of pinging I have a machine on the @Home network whose logs I monitor in real-time. Last night from 12:40am to about 8:35am (central standard us time), the machine was continously pinged, at a rate of 5 to 10 times per minute, from machines all over the world. I don't think this was intended as a DDoS, due to the low rate of firings, but what else could this have been? -- Jim Lindstrom jlindstr () uiuc edu
Current thread:
- Generic checksums (MD5 DB) Ville (Mar 17)
- 8 hours of pinging Jim Lindstrom (Mar 20)
- Re: 8 hours of pinging Rick Ballard (Mar 21)
- Re: 8 hours of pinging Robert Graham (Mar 21)
- Re: 8 hours of pinging Bob Fayne (Mar 22)
- Re: 8 hours of pinging Jim Lindstrom (Mar 22)
- 8 hours of pinging Foley, Michael P (Mar 22)
- Re: 8 hours of pinging Mike A. Harris (Mar 24)
- Re: Generic checksums (MD5 DB) Filip M. Gieszczykiewicz (Mar 20)
- <Possible follow-ups>
- Re: Generic checksums (MD5 DB) Jon Burdge (Mar 21)
- Re: Generic checksums (MD5 DB) Thomas J. Kluegel (Mar 21)
- 8 hours of pinging Jim Lindstrom (Mar 20)