mkettler at ...4108...
Tue Jun 3 16:01:14 EDT 2003
At 10:08 AM 6/3/2003 -0500, David Alonso De La Vega Tapage wrote:
>This is a interesting situation for me ..
>My snort box detect a constant icmp ping from small IP range .. have
>about 3 days detect it .. obviusly, this are droped in my firewall .. but
>the ping continue ....
>I connect from a dial up conetion and scan ( with nessus and nmap ) the
>source IP and detect that al ports on this box are opend .. very
>interesant .. !
>In this case what is you reaction .. or what is the reazon for this ping
>.. freeze my firewall .. ?
>Thanx in advance ..
Depends on the ping.. and where the source IPs are. Do a reverse DNS or an
ARIN ipwhois query to see where this source really is. That's usually my
first step. 9 times of 10 it's the DNS server for a website someone was
One of the things you need to realize up front is that pings are NORMAL.
They usually do not indicate an attack, although they MIGHT indicate
someone doing a little bit of recon to see what IPs have machines on them.
You'd really have to study the pattern of pings and correlate them to
something more insidious before deciding that they are part of recon.
Pings are also sometimes used by backdoor programs as a communication
channel. These tend to be pretty obvious by the packet contents. Most
"normal" pings are a fairly obvious simple pattern like counting (01 02
03..) all 00's, all FF's, and the like, although there is one common
"normal" ping which contains an image of the Microsoft logo in it (it's got
a jiff or bmp header in it, it's pretty obvious if you read the ascii part
of the packet dump.)
As some examples of real-world things that use ping, and are using them to
optimize network performance:
1) speedera type "fastest path" distributed DNS systems will send pings to
your DNS servers anytime you try to resolve the domain for someone using it
(ie: windowsupdate does this). Those will appear to come from a small range
of IPs and are hardly a cause for alarm.
2) Some systems use pings for path MTU discovery.. I think AIX does this,
Certainly nobody besides an idiot would expect a few pings to freeze your
firewall, unless you're running some kind of ancient pile of garbage that
is vulnerable to one of the "Ping Of Death" variants.. but you'd have to be
running something that hasn't been updated since 1996 for that.
Ping of death, land, winnuke, etc are all outdated attacks that rarely work
on anything so you generally don't see people try them unless it's part of
a comprehensive vulnerability test that you hired someone to do. Even the
lamest skript kiddies no longer use these as a matter of course. DDoS,
synfloods, buffer overflows against SQL, HTTP, SMTP or DNS servers, and
open proxy abuse are all much more common these days.
More information about the Snort-users