David Alonso De La Vega Tapage
delavegad at ...7768...
Wed Jun 4 07:20:03 EDT 2003
Hello Matt and thanx for your answers ..
Matt Kettler wrote:
> Depends on the ping.. and where the source IPs are. Do a reverse DNS
> or an ARIN ipwhois query to see where this source really is. That's
> usually my first step. 9 times of 10 it's the DNS server for a website
> someone was visiting.
I do that .. and in this case the source IP = 220.127.116.11 ( and .68
and .69 ) can't indentify as website ..
> One of the things you need to realize up front is that pings are
> NORMAL. They usually do not indicate an attack, although they MIGHT
> indicate someone doing a little bit of recon to see what IPs have
> machines on them. You'd really have to study the pattern of pings and
> correlate them to something more insidious before deciding that they
> are part of recon.
well in the first time I thing .. well someone do a global or general
scan .. the ping that registter snort are normal .. but from a Linux
Box .. but the ping continued ... now 4 days, of continuos ping. That
the mean, what is the reazon .. ?
> Pings are also sometimes used by backdoor programs as a communication
> channel. These tend to be pretty obvious by the packet contents. Most
> "normal" pings are a fairly obvious simple pattern like counting (01
> 02 03..) all 00's, all FF's, and the like, although there is one
> common "normal" ping which contains an image of the Microsoft logo in
> it (it's got a jiff or bmp header in it, it's pretty obvious if you
> read the ascii part of the packet dump.)
well I'm not sure but in payload part have this ..
length = 56
000 = 5A BB DD 3E 50 99 07 00 ....
010 = 00 00 00 00 02 00 00 00 ...
020 = 00 00 00 00 08 D6 FF BF ....
030 = C0 D6 FF BF B0 E9 5E 08
The site is .. performance-cw.mia.pnap.net
ver hdrlen tos length id flags offset ttl
4 5 0 84 0 0 0
> As some examples of real-world things that use ping, and are using
> them to optimize network performance:
> 1) speedera type "fastest path" distributed DNS systems will send
> pings to your DNS servers anytime you try to resolve the domain for
> someone using it (ie: windowsupdate does this). Those will appear to
> come from a small range of IPs and are hardly a cause for alarm.
certanly .. but isn't the case ..
> 2) Some systems use pings for path MTU discovery.. I think AIX does
> this, among others.
> Certainly nobody besides an idiot would expect a few pings to freeze
> your firewall, unless you're running some kind of ancient pile of
> garbage that is vulnerable to one of the "Ping Of Death" variants..
> but you'd have to be running something that hasn't been updated since
> 1996 for that.
> Ping of death, land, winnuke, etc are all outdated attacks that rarely
> work on anything so you generally don't see people try them unless
> it's part of a comprehensive vulnerability test that you hired someone
> to do.
This is my fellíng .. if have a ping ok .. is normal .. but few
days of constant ping, with some hour intervals are very extrange for
> Even the lamest skript kiddies no longer use these as a matter of
> course. DDoS, synfloods, buffer overflows against SQL, HTTP, SMTP or
> DNS servers, and open proxy abuse are all much more common these days.
I'm totaly agree with you .. and thanx for you time .. !
More information about the Snort-users