[Snort-users] ICMP Superscan Echo and Smurf

Hicks, John JHicks at ...5857...
Tue Sep 10 06:00:02 EDT 2002


  The 'SuperScan Echo' that I am familiar with first hand is produced by the
ping feature of the SuperScan port scanner that can be found on



-----Original Message-----
From: Pacheco, Michael F.
To: 'snort-users at lists.sourceforge.net'
Sent: 10/09/02 8:09 AM
Subject: [Snort-users] ICMP Superscan Echo and Smurf

Hi All,

I've been recieving a lot of ICMP traffic in the past 2 days from Europe
mainly Poland, France and Italy.  Since its ICMP I don't trust the
but no the rate is accelerating and it tripped the Smurf rules in Snort
Usually a bunch of Superscan Echo's followed by a short burst of Smurf.
understand the process in Smurf DDoS - but am a little confused on ICMP
Superscan Echo - Below is one captured alert.

#(1 - 142355) [2002-09-10 05:52:21]  ICMP superscan echo
IPv4: -> xx.xx.xx.254
      hlen=5 TOS=0 dlen=36 ID=43420 flags=0 offset=0 TTL=107
ICMP: type=Echo Request code=0
      checksum=24412 id= seq=
Payload:  length = 8

000 : 00 00 00 00 00 00 00 00                           ........

Basically just an oversized ICMP echo request.  I've looked through CERT
find some general reading on ping floods and such, but nothing that
specifically addresses Superscan Echo. I've blocked once, but the source
moved so I know that there is somebody behind this one.  Can anybody
shed a
little more light or point me in the right direction on ICMP Superscan
and how it ties into DDoS?


Mike Pacheco

P.S. - Sorry - forgot the specifics - Snort 1.8.6 on linux with Acid
-- (Anybody hear if Roman is going to be releasing b22 anytime soon?)

This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list