DDoS help!

From: Sebastian Ip (9sckiat_private)
Date: Sat Jan 26 2002 - 10:06:46 PST

  • Next message: Mark Symonds: "Honeypot challenge you've probably already heard about"

    Dear bugtraq
    
    I am under a bit of a icmp flood right now. And i really would like to hear 
    what more experienced people have ot say about this.
    
    I am actually experiencing nothing significant 
    
    tcpdump shows this:
     12:59:34.427801 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: icmp: echo request (frag 44560:1480@0+)
    12:59:34.427801 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@50320+)
    12:59:34.427801 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@51800+)
    12:59:34.427801 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@53280+)
    12:59:34.427801 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@54760+)
    12:59:34.427801 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@56240+)
    12:59:34.437800 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@57720+)
    12:59:34.437800 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@59200+)
    12:59:34.437800 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@60680+)
    12:59:34.437800 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@62160+)
    12:59:34.437800 > d226-19-71.home.cgocable.net > 
    ct299951-b.edgewd1.ky.home.com: (frag 43565:368@63640)
    12:59:34.457799 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: (frag 44560:1480@1480+)
    12:59:34.477797 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: (frag 44560:1480@2960+)
    12:59:34.507795 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: (frag 44560:1480@4440+)
    12:59:34.537793 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: (frag 44560:1480@5920+)
    12:59:34.557791 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: (frag 44560:1480@7400+)
    12:59:34.587789 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: (frag 44560:1480@8880+)
    12:59:34.617787 < port90.ds1-vj.adsl.cybercity.dk > 
    d226-19-71.home.cgocable.net: (frag 44560:1480@10360+)
    12:59:35.087752 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    icmp: echo request (frag 58961:1480@0+)
    12:59:35.267739 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@1480+)
    12:59:35.317735 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@2960+)
    12:59:35.377731 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@4440+)
    12:59:35.467724 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@5920+)
    12:59:35.557717 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@7400+)
    12:59:35.657710 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@8880+)
    12:59:35.747703 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@10360+)
    12:59:35.847696 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@11840+)
    12:59:35.937689 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@13320+)
    12:59:35.947689 < 12-248-194-107.client.attbi.com > 
    d226-19-71.home.cgocable.net: icmp: echo request (frag 56714:1480@0+)
    12:59:35.957688 < 12-248-194-107.client.attbi.com > 
    d226-19-71.home.cgocable.net: (frag 56714:1480@1480+)
    12:59:35.977687 < 12-248-194-107.client.attbi.com > 
    d226-19-71.home.cgocable.net: (frag 56714:1480@2960+)
    12:59:35.987686 < 12-248-194-107.client.attbi.com > 
    d226-19-71.home.cgocable.net: (frag 56714:1480@4440+)
    12:59:35.997685 < 12-248-194-107.client.attbi.com > 
    d226-19-71.home.cgocable.net: (frag 56714:1480@5920+)
    12:59:36.037682 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@14800+)
    12:59:36.127675 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@16280+)
    12:59:36.217669 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@17760+)
    12:59:36.317661 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@19240+)
    12:59:36.407655 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@20720+)
    12:59:36.507647 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net: 
    (frag 58961:1480@22200+)
    
    It seems that the icmp echo request causes my machine to generate a bunch of 
    icmp packets at another host!
    
    What's going on?
    
    Thanks
    
    Sebastian Ip
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jan 27 2002 - 20:01:29 PST