[Snort-users] ICMP Superscan Echo and Smurf

Pacheco, Michael F. MPacheco at ...6219...
Tue Sep 10 05:09:03 EDT 2002


Hi All,

I've been recieving a lot of ICMP traffic in the past 2 days from Europe -
mainly Poland, France and Italy.  Since its ICMP I don't trust the source
but no the rate is accelerating and it tripped the Smurf rules in Snort -
Usually a bunch of Superscan Echo's followed by a short burst of Smurf.  I
understand the process in Smurf DDoS - but am a little confused on ICMP
Superscan Echo - Below is one captured alert.

#(1 - 142355) [2002-09-10 05:52:21]  ICMP superscan echo
IPv4: 80.15.113.2 -> xx.xx.xx.254
      hlen=5 TOS=0 dlen=36 ID=43420 flags=0 offset=0 TTL=107 chksum=27618
ICMP: type=Echo Request code=0
      checksum=24412 id= seq=
Payload:  length = 8

000 : 00 00 00 00 00 00 00 00                           ........

Basically just an oversized ICMP echo request.  I've looked through CERT and
find some general reading on ping floods and such, but nothing that
specifically addresses Superscan Echo. I've blocked once, but the source
moved so I know that there is somebody behind this one.  Can anybody shed a
little more light or point me in the right direction on ICMP Superscan Echo
and how it ties into DDoS?

Thanks

Mike Pacheco

P.S. - Sorry - forgot the specifics - Snort 1.8.6 on linux with Acid 09.6b21
-- (Anybody hear if Roman is going to be releasing b22 anytime soon?)




More information about the Snort-users mailing list