Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 8 hours of pinging

From: spiff () BWAY NET (spiff)
Date: Wed, 22 Mar 2000 03:40:53 -0500

Perhaps this is an Nmap -sP (ping scan) using the decoy option, and set to
a scan frequency low enough to avoid setting off IDS systems. The output
of this scan is any host listening at a particular address, which can then
be given as input to a more thorough scan of known 'alive' hosts. Of note,
if this _is_ an nmap scan, one of the addresses is the real ip of the
scanning host.

see www.insecure.org for Nmap.

spiff

On Tue, 21 Mar 2000, Ed Padin wrote:


FYI,

I've seen this happen as well. The pings seem to come from all over the
place. They do not come rapidly as in a flood. perhaps it's a tribe-like
scan of some sort? I don't get any malformed packets just straight
ICMP-ECHO-REQUEST.


-----Original Message-----
From: Jim Lindstrom [mailto:jlindstr () UIUC EDU]
Sent: Monday, March 20, 2000 10:21 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: 8 hours of pinging


I have a machine on the @Home network whose logs I monitor in
real-time.  Last night from 12:40am to about 8:35am (central
standard us
time), the machine was continously pinged, at a rate of 5 to 10 times
per minute, from machines all over the world.  I don't think this was
intended as a DDoS, due to the low rate of firings, but what
else could
this have been?

--
Jim Lindstrom
jlindstr () uiuc edu
Previous By Date Next
Previous By Thread Next

Current thread: