These scans show up on my IDS like this: [**] [1:480:2] ICMP PING speedera [**] [Classification: Misc activity] [Priority: 3] 06/13-08:38:18.651820 64.15.251.198 -> 63.254.234.169 ICMP TTL:50 TOS:0x0 ID:58844 IpLen:20 DgmLen:84 Type:8 Code:0 ID:39681 Seq:30247 ECHO There is a thread discussing this issue here: http://www.incidents.org/archives/intrusions/msg03580.html There is an article about this here: http://www.linuxsecurity.com/articles/firewalls_article-2064.html Lots of information about the subject by asking google "speedera ping". Edward Beheler BOFH -----Original Message----- From: Jason Dixon [mailto:jasondixonat_private] Sent: Sunday, June 16, 2002 5:49 AM To: incidentsat_private Subject: Distributed ICMP/UDP scan or attack? Hi all: Please excuse me if this is a newbie question, I'm not sure how to go about searching for answers on intrustion/scanner patterns and the like. I noticed this series of scans/connections in my firewall log this morning. The first thing that came to mind was the Bind 9 vulnerability, but there aren't any exploits available yet, IIRC. As you can see, there was a series of three icmp queries followed by two unsuccessful DNS connections. Has anyone seen this? < Jun 15 15:47:31 dc0 208.185.54.14 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 64.15.251.198 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 213.61.6.2 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 207.235.98.194 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 64.0.96.12 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 209.240.77.130 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 65.119.25.162 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 204.176.88.5 -> x.x.x.x icmp < Jun 15 15:47:32 dc0 64.14.117.10 -> x.x.x.x icmp < Jun 15 15:47:32 dc0 212.62.17.145 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 64.15.251.198 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 208.185.54.14 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 213.61.6.2 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 207.235.98.194 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 64.0.96.12 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 209.240.77.130 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 204.176.88.5 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 65.119.25.162 -> x.x.x.x icmp < Jun 15 15:47:43 dc0 64.14.117.10 -> x.x.x.x icmp < Jun 15 15:47:43 dc0 212.62.17.145 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 208.185.54.14 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 64.15.251.198 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 213.61.6.2 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 207.235.98.194 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 64.0.96.12 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 209.240.77.130 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 65.119.25.162 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 204.176.88.5 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 64.14.117.10 -> x.x.x.x icmp < Jun 15 15:47:53 dc0 212.62.17.145 -> x.x.x.x icmp < Jun 15 15:48:01 dc0 208.185.54.14,1687 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 64.15.251.198,32865 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 213.61.6.2,17613 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 207.235.98.194,54613 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 64.0.96.12,50831 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 209.240.77.130,39805 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 65.119.25.162,3058 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 204.176.88.5,8329 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 64.14.117.10,4502 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 212.62.17.145,54557 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 64.15.251.198,32865 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 208.185.54.14,1687 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 213.61.6.2,17613 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 207.235.98.194,54613 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 64.0.96.12,50831 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 209.240.77.130,39805 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 65.119.25.162,3058 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 204.176.88.5,8329 -> x.x.x.x,53 udp < Jun 15 15:48:12 dc0 64.14.117.10,4502 -> x.x.x.x,53 udp < Jun 15 15:48:12 dc0 212.62.17.145,54557 -> x.x.x.x,53 udp -- Jason Dixon RHCE ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 14:55:13 PDT