[Snort-users] ICMP Superscan Echo and Smurf

Pacheco, Michael F. MPacheco at ...6219...
Wed Sep 11 07:54:03 EDT 2002

Thanks Ofir,

The last bit of your reply is a know quantity - if the payload matches the
rule its alerted - what I'm trying to understand is the pattern.  A large
burst of Superscan Echo's followed by Smurf from the same source. What
information could you be looking to gather with the Superscan tool that
could then be useful in further attacks - in this case a Smurf DDoS. The
more I analyze this the more it does not make sense and I feel I'm missing
something - hence the question to the snort board.

Thanks for the info - any other comments from the board?


-----Original Message-----
From: Ofir Arkin [mailto:ofir at ...949...]
Sent: Wednesday, September 11, 2002 4:50 AM
To: 'Pacheco, Michael F.'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] ICMP Superscan Echo and Smurf


Superscan is a tool which is available from Foundstone. 

It is not related in any way with DOS/DDOS.

The Superscan rule is triggered whenever a payload of an ICMP Echo
request match the one with the rule base.

Ofir Arkin [ofir at ...949...]
The Sys-Security Group
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Pacheco,
Michael F.
Sent: 10 September 2002 13:09
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] ICMP Superscan Echo and Smurf

Hi All,

I've been recieving a lot of ICMP traffic in the past 2 days from Europe
mainly Poland, France and Italy.  Since its ICMP I don't trust the
but no the rate is accelerating and it tripped the Smurf rules in Snort
Usually a bunch of Superscan Echo's followed by a short burst of Smurf.
understand the process in Smurf DDoS - but am a little confused on ICMP
Superscan Echo - Below is one captured alert.

#(1 - 142355) [2002-09-10 05:52:21]  ICMP superscan echo
IPv4: -> xx.xx.xx.254
      hlen=5 TOS=0 dlen=36 ID=43420 flags=0 offset=0 TTL=107
ICMP: type=Echo Request code=0
      checksum=24412 id= seq=
Payload:  length = 8

000 : 00 00 00 00 00 00 00 00                           ........

Basically just an oversized ICMP echo request.  I've looked through CERT
find some general reading on ping floods and such, but nothing that
specifically addresses Superscan Echo. I've blocked once, but the source
moved so I know that there is somebody behind this one.  Can anybody
shed a
little more light or point me in the right direction on ICMP Superscan
and how it ties into DDoS?


Mike Pacheco

P.S. - Sorry - forgot the specifics - Snort 1.8.6 on linux with Acid
-- (Anybody hear if Roman is going to be releasing b22 anytime soon?)

This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list