Do not block all ICMP unless you understand the consequences. Block ICMP echo only. http://216.239.51.100/search?q=cache:4gLAFdrzNpQC:www.worldgate.com/~mar cs/mtu/+ip+pmtu+icmp+problem&hl=en BR, Boyan Krosnov, CCIE#8701 Just another techie speaking for himself > -----Original Message----- > From: J Jewitt [mailto:jjewitt2001at_private] > Sent: Monday, June 17, 2002 8:31 PM > To: Jason Dixon; incidentsat_private > Subject: Re: Distributed ICMP/UDP scan or attack? > > > > Looks to me like a ping followed by a UDP connect. > Ten Extra IP addresses were probably inserted as > decoys. > I would assert that only one of those eleven IPs > are your scanner. > I believe that NMAP would look like this, if > configured to ping first and use ten decoys. Blocking > icmp at your firewall is a good way mitigate blind > scans. > > J Jewitt > > > > > --- Jason Dixon <jasondixonat_private> wrote: > > Hi all: > > > > Please excuse me if this is a newbie question, I'm > > not sure how to go > > about searching for answers on intrustion/scanner > > patterns and the > > like. I noticed this series of scans/connections in > > my firewall log > > this morning. The first thing that came to mind was > > the Bind 9 > > vulnerability, but there aren't any exploits > > available yet, IIRC. > > > > As you can see, there was a series of three icmp > > queries followed by two > > unsuccessful DNS connections. Has anyone seen this? > > > > > > < Jun 15 15:47:31 dc0 208.185.54.14 -> x.x.x.x > > icmp > > < Jun 15 15:47:31 dc0 64.15.251.198 -> x.x.x.x > > icmp > > < Jun 15 15:47:31 dc0 213.61.6.2 -> x.x.x.x > > icmp > > < Jun 15 15:47:31 dc0 207.235.98.194 -> > > x.x.x.x icmp > > < Jun 15 15:47:31 dc0 64.0.96.12 -> x.x.x.x > > icmp > > < Jun 15 15:47:31 dc0 209.240.77.130 -> > > x.x.x.x icmp > > < Jun 15 15:47:31 dc0 65.119.25.162 -> x.x.x.x > > icmp > > < Jun 15 15:47:31 dc0 204.176.88.5 -> x.x.x.x > > icmp > > < Jun 15 15:47:32 dc0 64.14.117.10 -> x.x.x.x > > icmp > > < Jun 15 15:47:32 dc0 212.62.17.145 -> x.x.x.x > > icmp > > < Jun 15 15:47:42 dc0 64.15.251.198 -> x.x.x.x > > icmp > > < Jun 15 15:47:42 dc0 208.185.54.14 -> x.x.x.x > > icmp > > < Jun 15 15:47:42 dc0 213.61.6.2 -> x.x.x.x > > icmp > > < Jun 15 15:47:42 dc0 207.235.98.194 -> > > x.x.x.x icmp > > < Jun 15 15:47:42 dc0 64.0.96.12 -> x.x.x.x > > icmp > > < Jun 15 15:47:42 dc0 209.240.77.130 -> > > x.x.x.x icmp > > < Jun 15 15:47:42 dc0 204.176.88.5 -> x.x.x.x > > icmp > > < Jun 15 15:47:42 dc0 65.119.25.162 -> x.x.x.x > > icmp > > < Jun 15 15:47:43 dc0 64.14.117.10 -> x.x.x.x > > icmp > > < Jun 15 15:47:43 dc0 212.62.17.145 -> x.x.x.x > > icmp > > < Jun 15 15:47:52 dc0 208.185.54.14 -> x.x.x.x > > icmp > > < Jun 15 15:47:52 dc0 64.15.251.198 -> x.x.x.x > > icmp > > < Jun 15 15:47:52 dc0 213.61.6.2 -> x.x.x.x > > icmp > > < Jun 15 15:47:52 dc0 207.235.98.194 -> > > x.x.x.x icmp > > < Jun 15 15:47:52 dc0 64.0.96.12 -> x.x.x.x > > icmp > > < Jun 15 15:47:52 dc0 209.240.77.130 -> > > x.x.x.x icmp > > < Jun 15 15:47:52 dc0 65.119.25.162 -> x.x.x.x > > icmp > > < Jun 15 15:47:52 dc0 204.176.88.5 -> x.x.x.x > > icmp > > < Jun 15 15:47:52 dc0 64.14.117.10 -> x.x.x.x > > icmp > > < Jun 15 15:47:53 dc0 212.62.17.145 -> x.x.x.x > > icmp > > < Jun 15 15:48:01 dc0 208.185.54.14,1687 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:01 dc0 64.15.251.198,32865 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:01 dc0 213.61.6.2,17613 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:01 dc0 207.235.98.194,54613 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:01 dc0 64.0.96.12,50831 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:02 dc0 209.240.77.130,39805 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:02 dc0 65.119.25.162,3058 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:02 dc0 204.176.88.5,8329 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:02 dc0 64.14.117.10,4502 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:02 dc0 212.62.17.145,54557 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 64.15.251.198,32865 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 208.185.54.14,1687 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 213.61.6.2,17613 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 207.235.98.194,54613 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 64.0.96.12,50831 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 209.240.77.130,39805 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 65.119.25.162,3058 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:11 dc0 204.176.88.5,8329 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:12 dc0 64.14.117.10,4502 -> > > x.x.x.x,53 udp > > < Jun 15 15:48:12 dc0 212.62.17.145,54557 -> > > x.x.x.x,53 udp > > > > -- > > Jason Dixon > > RHCE > > > > > > > -------------------------------------------------------------- > -------------- > > This list is provided by the SecurityFocus ARIS > > analyzer service. > > For more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 14:59:19 PDT