[Snort-sigs] ICMP PING speedera - Hacker Tool

Robert Wagner rwagner at ...447...
Wed Apr 3 06:35:22 EST 2002


One little bit of followup -> It appears that there may be a hacker tool
that uses a speedera type of packet to identify systems.  I would recommend
starting to capture some of this traffic for further analysis.  I noticed
this traffic:

Apr  1 03:40:54 mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP}
65.69.8.140 -> me
Apr  1 03:47:28 mydomain portsentry[3845]: attackalert: SYN/Normal scan from
host: adsl-65-69-8-140.dsl.hstntx.swbell.net/65.69.8.140 to TCP port: 445

NOTE: true speedera doesn't originate from DSL servers!!!

Apr  1 03:47:29 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:3185 me:445 L=48 S=0x00 I=5230 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:31 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:1025 me:139 L=48 S=0x00 I=5285 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:31 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:3187 me:139 L=48 S=0x00 I=5287 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:35 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:3185 me:445 L=48 S=0x00 I=5338 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:37 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:1025 me:139 L=48 S=0x00 I=5354 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:37 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:3187 me:139 L=48 S=0x00 I=5369 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:49 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:3224 me:80 L=48 S=0x00 I=5501 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:52 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:3224 me:80 L=48 S=0x00 I=5542 F=0x4000 T=118 SYN (#1)
Apr  1 03:47:58 mydomain kernel: Packet log: input DENY eth0 PROTO=6
65.69.8.140:3224 me:80 L=48 S=0x00 I=5579 F=0x4000 T=118 SYN (#1)

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Apr  3 02:20:07 mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP}
65.69.8.140 -> me
Apr  3 02:20:07 mydomain kernel: Packet log: input DENY eth0 PROTO=1
65.69.8.140:8 me:0 L=65 S=0x00 I=33194 F=0x0000 T=118 (#4)
Apr  3 02:20:13 mydomain kernel: Packet log: input DENY eth0 PROTO=1
65.69.8.140:8 me:0 L=65 S=0x00 I=33470 F=0x0000 T=118 (#4)
Apr  3 02:20:13 mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP}
65.69.8.140 -> me
Apr  3 02:20:18 mydomain kernel: Packet log: input DENY eth0 PROTO=1
65.69.8.140:8 me:0 L=65 S=0x00 I=33702 F=0x0000 T=118 (#4)
Apr  3 02:20:18 mydomain snort[3876]: [1:480:1] ICMP PING speedera {ICMP}
65.69.8.140 -> me

NOTE:  Speedera typically doesn't send multiple packets - I believe it is
one per from several different hosts.

I believe this is good speedera traffic:
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 208.185.54.14 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 209.10.58.124 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 64.0.96.12 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 63.123.77.194 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 205.158.108.194 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 204.176.88.5 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 64.14.117.10 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 213.61.6.2 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 209.68.217.194 -> mydns
Mar 11 08:12:52 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 212.62.17.145 -> mydns
Mar 11 08:16:34 me snort: [1:480:2] ICMP PING speedera [Classification: Misc
activity] [Priority: 3]: {ICMP} 212.0.126.130 -> mydns


-----Original Message-----
From: Robert Wagner 
Sent: Tuesday, April 02, 2002 9:39 AM
To: 'ramos at ...442...'; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] ICMP PING speedera


Annoying traffic.  Several websites use a service called speedera.  When you
visit the website, the speedera service pings you to determine the fastest
server to respond to you.  Thus providing the customer with a fast website
response (and several pings).  You can do a Google search for speedera to
get more technical information.  It looks kind of like a basic Ping attack
because you get pinged from a dozen or so servers.

-----Original Message-----
From: ramos at ...442... [mailto:ramos at ...442...]
Sent: Tuesday, April 02, 2002 6:39 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] ICMP PING speedera


Hi Community!!!

Anybody knows something about ICMP PING speedera?

Best regards,
Rodrigo Ramos


_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list