[Snort-users] Ping

Matt Kettler mkettler at ...4108...
Tue Jun 3 16:01:14 EDT 2003


At 10:08 AM 6/3/2003 -0500, David Alonso De La Vega Tapage wrote:
>This is a interesting situation for me ..
>
>My snort box detect a constant icmp ping from  small IP range ..   have 
>about 3 days detect it ..  obviusly, this are droped in my firewall .. but 
>the ping continue ....
>
>I connect from a dial up conetion and scan ( with nessus and nmap ) the 
>source IP  and detect that al ports on this box are opend ..  very 
>interesant .. !
>
>In this case what is you reaction ..   or what is the reazon for this ping 
>..   freeze my firewall .. ?
>
>Thanx in advance ..

Depends on the ping.. and where the source IPs are. Do a reverse DNS or an 
ARIN ipwhois query to see where this source really is. That's usually my 
first step. 9 times of 10 it's the DNS server for a website someone was 
visiting.

One of the things you need to realize up front is that pings are NORMAL. 
They usually do not indicate an attack, although they MIGHT indicate 
someone doing a little bit of recon to see what IPs have machines on them. 
You'd really have to study the pattern of pings and correlate them to 
something more insidious before deciding that they are part of recon.

Pings are also sometimes used by backdoor programs as a communication 
channel. These tend to be pretty obvious by the packet contents. Most 
"normal" pings are a fairly obvious simple pattern like counting (01 02 
03..) all 00's, all FF's, and the like, although there is one common 
"normal" ping which contains an image of the Microsoft logo in it (it's got 
a jiff or bmp header in it, it's pretty obvious if you read the ascii part 
of the packet dump.)

As some examples of real-world things that use ping, and are using them to 
optimize network performance:

1) speedera type "fastest path" distributed DNS systems will send pings to 
your DNS servers anytime you try to resolve the domain for someone using it 
(ie: windowsupdate does this). Those will appear to come from a small range 
of IPs and are hardly a cause for alarm.

2) Some systems use pings for path MTU discovery.. I think AIX does this, 
among others.

Certainly nobody besides an idiot would expect a few pings to freeze your 
firewall, unless you're running some kind of ancient pile of garbage that 
is vulnerable to one of the "Ping Of Death" variants.. but you'd have to be 
running something that hasn't been updated since 1996 for that.

Ping of death, land, winnuke, etc are all outdated attacks that rarely work 
on anything so you generally don't see people try them unless it's part of 
a comprehensive vulnerability test that you hired someone to do. Even the 
lamest skript kiddies no longer use these as a matter of course. DDoS, 
synfloods, buffer overflows against SQL, HTTP, SMTP or DNS servers, and 
open proxy abuse are all much more common these days.






More information about the Snort-users mailing list