Re: Ping flood?

[Joe Stewart <jstewart () LURHQ COM>]

On Thu, 23 Nov 2000 17:18:58 -0200, admin () CAMARASJC SP GOV BR wrote:
> I was hit, at 09:37:36 -> 09:37:42 (-2 GMT) by 83 pings originating
> from the 83 unique hosts (mail me for a complete list of hosts if you
> want it) directed towards a single host.  Snort picked them up as *NIX
> Type pings.
>
> I guess they were probably spoofed hosts due to the fact that they all
> hit within a 7 second window.  The intresting things about the flood
> of pings was that all the TTLs were in the high 40s and low 50s (not
> that it means anything, it's just something I noticed).
>
> Has anyone been hit by anything like this in the past few days?

These are probably coming from Internap/pnap.net The host being pinged is
your DNS server, right? They're using coordinated pings from their
nameservers to everyone else's nameservers to determine the best routes for
their network, and triggering everyone's IDS in the process.

See http://www.sans.org/y2k/102500.htm

-Joe

--
Joe Stewart
Information Security Analyst
LURHQ Corporation
==========================>
843-347-1075 ext. 303
jstewart () lurhq com