Security Incidents mailing list archives
Re: Simultanious ping from lots of different hosts.
From: Hubert BUT <xfer () but pl>
Date: Tue, 30 Oct 2001 07:53:14 +0100 (CET)
Hello.... These icmp packets may be something like rst and ack packets send from random hosts from internet... We were working on them several months ago with lcamtuf, who created special project called WTF and have written tool for analyzing these packets, based on tcpdump (Passive 0s Fingerprinting = p0f)... Tool location: http://lcamtuf.coredump.cx/soft/p0f.tgz Project info: http://lcamtuf.coredump.cx/wtf/ greets... 0x78666572 #$@#$@@%%%#&# [xfer][Hubert Pasternak] @#@!$#@!$^#$ $% [E-Mail: xfer () hert org][Mobile: +48609928174] $# ##$% [ EP BUT Ltd. Network Security Specialist] #$@ On Mon, 29 Oct 2001, Johannes Verelst wrote:
Hi, Today, my icmplogd showed that I was being pinged from a lot of different hosts. I got curious, because this is quite unusual on my machine, so I started a little investigation. First of all, the IP's ping all within the same second (syslog can't measure more accurate than that). There are several 'sweeps', ranging from 4 to 6 icmp_echo's. These sweeps started around one month ago, but with very low intensity. During the month intensity went up. I took one of the IP's and looked up the owner of the netblock. Pasting this into google gave a very interesting thread on the Snort-users mailinglist: http://archives.neohapsis.com/archives/snort/2000-11/0366.html. The most interesting part: this happened exactly 11 months ago, 28 november 2000. The list of hosts mentioned is partly the same as the IP's that I see, more specific: 208.185.54.14 204.176.88.5 207.235.98.194 I have ICMP-fingerprinted the hosts with the utility xprobe, all of them gave the following OS fingerprint: Linux 2.2.x/2.4.5+ kernel exept for two ips: 204.176.88.5, h-213.61.6.2.host.de.colt.net These IP's give the following fingerprint: FINAL:[ 3Com SuperStack II Switch SWNBBSI-CF,11.1.0.00S38 Nokia IPSO 3.2-2.3.1 releng 783-849 Ricoh Aficio AP4500 Network Laster Printer Linux 2.0.x/2.2.x/2.4.x Shiva AccessPort Bridge/Router Software V.2.1.0 ] Those IP's also have port 80 open. A small HEAD gives: HTTP/1.0 200 OK Date: Mon, 29 Oct 2001 14:52:48 GMT Server: swcd/4.0.0003 Connection: close So, does anybody know what this is? The strange thing is that almost a year ago (exactly 11 months) somebody got exactly the same 'probes'. Strangely enough, no tcp connections are made (i usually have udp logging disabled because there's a _lot_ of UDP traffic. I enabled it now to see if anything is happening). If anybody has any suggestions of how to be more paranoid, please let me know. Kind regards, Johannes Verelst -- Unix is simple. It just takes a genius to understand its simplicity Make it idiot proof, and someone will make a better idiot. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Simultanious ping from lots of different hosts. Johannes Verelst (Oct 29)
- Re: Simultanious ping from lots of different hosts. Hubert BUT (Oct 30)