RE: Distributed ICMP/UDP scan or attack?

From: Edward Beheler (edward.behelerat_private)
Date: Mon Jun 17 2002 - 14:24:19 PDT

Next message: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"

Previous message: Richard Ginski: "DOS by Flooding a Network"
In reply to: Jason Dixon: "Distributed ICMP/UDP scan or attack?"
Next in thread: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

These scans show up on my IDS like this:

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
06/13-08:38:18.651820 64.15.251.198 -> 63.254.234.169
ICMP TTL:50 TOS:0x0 ID:58844 IpLen:20 DgmLen:84
Type:8  Code:0  ID:39681   Seq:30247  ECHO

There is a thread discussing this issue here:
http://www.incidents.org/archives/intrusions/msg03580.html

There is an article about this here:
http://www.linuxsecurity.com/articles/firewalls_article-2064.html

Lots of information about the subject by asking google "speedera ping".

Edward Beheler
BOFH

-----Original Message-----
From: Jason Dixon [mailto:jasondixonat_private] 
Sent: Sunday, June 16, 2002 5:49 AM
To: incidentsat_private
Subject: Distributed ICMP/UDP scan or attack?


Hi all:

Please excuse me if this is a newbie question, I'm not sure how to go
about searching for answers on intrustion/scanner patterns and the like.
I noticed this series of scans/connections in my firewall log this
morning.  The first thing that came to mind was the Bind 9
vulnerability, but there aren't any exploits available yet, IIRC.

As you can see, there was a series of three icmp queries followed by two
unsuccessful DNS connections.  Has anyone seen this?  

< Jun  15  15:47:31  dc0  208.185.54.14  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  64.15.251.198  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  213.61.6.2  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  207.235.98.194  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  64.0.96.12  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  209.240.77.130  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  65.119.25.162  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  204.176.88.5  ->  x.x.x.x  icmp
< Jun  15  15:47:32  dc0  64.14.117.10  ->  x.x.x.x  icmp
< Jun  15  15:47:32  dc0  212.62.17.145  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  64.15.251.198  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  208.185.54.14  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  213.61.6.2  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  207.235.98.194  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  64.0.96.12  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  209.240.77.130  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  204.176.88.5  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  65.119.25.162  ->  x.x.x.x  icmp
< Jun  15  15:47:43  dc0  64.14.117.10  ->  x.x.x.x  icmp
< Jun  15  15:47:43  dc0  212.62.17.145  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  208.185.54.14  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.15.251.198  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  213.61.6.2  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  207.235.98.194  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.0.96.12  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  209.240.77.130  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  65.119.25.162  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  204.176.88.5  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.14.117.10  ->  x.x.x.x  icmp
< Jun  15  15:47:53  dc0  212.62.17.145  ->  x.x.x.x  icmp
< Jun  15  15:48:01  dc0  208.185.54.14,1687  ->  x.x.x.x,53  udp < Jun
15  15:48:01  dc0  64.15.251.198,32865  ->  x.x.x.x,53  udp < Jun  15
15:48:01  dc0  213.61.6.2,17613  ->  x.x.x.x,53  udp < Jun  15  15:48:01
dc0  207.235.98.194,54613  ->  x.x.x.x,53  udp < Jun  15  15:48:01  dc0
64.0.96.12,50831  ->  x.x.x.x,53  udp < Jun  15  15:48:02  dc0
209.240.77.130,39805  ->  x.x.x.x,53  udp < Jun  15  15:48:02  dc0
65.119.25.162,3058  ->  x.x.x.x,53  udp < Jun  15  15:48:02  dc0
204.176.88.5,8329  ->  x.x.x.x,53  udp < Jun  15  15:48:02  dc0
64.14.117.10,4502  ->  x.x.x.x,53  udp < Jun  15  15:48:02  dc0
212.62.17.145,54557  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
64.15.251.198,32865  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
208.185.54.14,1687  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
213.61.6.2,17613  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
207.235.98.194,54613  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
64.0.96.12,50831  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
209.240.77.130,39805  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
65.119.25.162,3058  ->  x.x.x.x,53  udp < Jun  15  15:48:11  dc0
204.176.88.5,8329  ->  x.x.x.x,53  udp < Jun  15  15:48:12  dc0
64.14.117.10,4502  ->  x.x.x.x,53  udp < Jun  15  15:48:12  dc0
212.62.17.145,54557  ->  x.x.x.x,53  udp

-- 
Jason Dixon
RHCE


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
Previous message: Richard Ginski: "DOS by Flooding a Network"
In reply to: Jason Dixon: "Distributed ICMP/UDP scan or attack?"
Next in thread: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 14:55:13 PDT