Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP attack in progress?

From: cjc () SCITEC COM (Crist J. Clark)
Date: Thu, 25 May 2000 23:47:38 -0400

On Thu, May 25, 2000 at 12:37:08PM -0500, Lic. Rodolfo Gonzalez Gonzalez wrote:

[snip]


And soon, over and over, and also comming from these adrresses
(spooffed?):

Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       all  ----l-  212.41.223.98        anywhere              n/a


An address from this block tried to scan our network configuration
yesterday,

May 24 10:47:21 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc8.8:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:21 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc8.63:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:21 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc8.64:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.8:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.63:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.64:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.128:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.191:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.192:0 L=32 S=0x00 I=237 
F=0x0000 T=239
May 24 10:47:22 gw kernel: Packet log: forward DENY eth1 PROTO=1 212.41.223.9:8 aaa.bbb.cc9.254:0 L=32 S=0x00 I=237 
F=0x0000 T=239

[snip]


And in general from the 151.27.xxx.xxx and 212.xxx.xxx.xxx nets. Any
comments?.


I've seen alot of pings from 212/8 this week,

      1     212.209.6.8 -> aaa.bbb.cc9.129
      1    212.123.8.49 -> aaa.bbb.cc9.129
      1    212.41.223.9 -> aaa.bbb.cc8.63
      1    212.41.223.9 -> aaa.bbb.cc8.64
      1    212.41.223.9 -> aaa.bbb.cc8.8
      1    212.41.223.9 -> aaa.bbb.cc9.128
      1    212.41.223.9 -> aaa.bbb.cc9.191
      1    212.41.223.9 -> aaa.bbb.cc9.192
      1    212.41.223.9 -> aaa.bbb.cc9.254
      1    212.41.223.9 -> aaa.bbb.cc9.63
      1    212.41.223.9 -> aaa.bbb.cc9.64
      1    212.41.223.9 -> aaa.bbb.cc9.8
      1    212.54.68.72 -> aaa.bbb.cc9.129
      1    212.63.29.75 -> aaa.bbb.cc9.129
      1   212.105.5.185 -> aaa.bbb.cc9.129
      1   212.120.200.4 -> aaa.bbb.cc9.129
      1   212.120.68.80 -> aaa.bbb.cc9.129
      1   212.64.56.207 -> aaa.bbb.cc9.129
      1   212.95.72.236 -> aaa.bbb.cc9.129
      1   212.95.75.184 -> aaa.bbb.cc9.129
      1  212.123.10.214 -> aaa.bbb.cc9.129
      1  212.133.25.139 -> aaa.bbb.cc9.2
      2  212.134.26.248 -> aaa.bbb.cc9.129
      1  212.139.15.166 -> aaa.bbb.cc9.129
      1  212.140.80.242 -> aaa.bbb.cc9.129
      1  212.141.111.83 -> aaa.bbb.cc9.129
      1  212.141.93.249 -> aaa.bbb.cc9.129
      2  212.171.200.96 -> aaa.bbb.cc9.129
      1  212.186.24.213 -> aaa.bbb.cc9.129
      1  212.189.164.80 -> aaa.bbb.cc9.129
      1  212.205.230.19 -> aaa.bbb.cc9.129
      1  212.49.228.111 -> aaa.bbb.cc9.129
      1  212.59.192.207 -> aaa.bbb.cc9.129
      1  212.67.152.195 -> aaa.bbb.cc9.129
      1 212.183.125.174 -> aaa.bbb.cc9.129

None from the other net you mention.

--
Crist J. Clark                              cjc () scitec com
SciTec, Inc                             (609)921-3892 x252
Previous By Date Next
Previous By Thread Next

Current thread: