Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 8 hours of pinging

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 21 Mar 2000 16:02:58 -0800

Was the machine itself pinged? I.e. was it an ICMP Echo Request (type=8)
sent to the exact IP address (e.g. 192.0.2.168)?

Or was it sent a broadcast ping, e.g. an IP address of 192.0.2.255 or
192.0.2.0.

Or was it a ping response, i.e. ICMP Echo Reply (type=0)?

The rate of firings is actually consistent with a smurf attack from a modem
user.

It is also consistent with your ISP doing rate filtering of ICMP packets,
and the machine being the attempted victim of a ping attack (e.g. the
echok.c script spoofs pings).

A packet capture with TCPDUMP or a sniffer would help track this down. (Of
course, some IDSs not to be named will also take packet captures and may
identify the exact signature :-) I would of course love to see the packets
themselves.

Robert Graham

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Jim Lindstrom
Sent: Monday, March 20, 2000 7:21 AM
To: INCIDENTS () securityfocus com
Subject: 8 hours of pinging

I have a machine on the @Home network whose logs I monitor in
real-time.  Last night from 12:40am to about 8:35am (central standard us
time), the machine was continously pinged, at a rate of 5 to 10 times
per minute, from machines all over the world.  I don't think this was
intended as a DDoS, due to the low rate of firings, but what else could
this have been?

--
Jim Lindstrom
jlindstr () uiuc edu
Previous By Date Next
Previous By Thread Next

Current thread: