Speedera Ping, was "Packets from 255.255.255.255(80), etc."

From: Neil Dickey (neilat_private)
Date: Mon Feb 03 2003 - 08:53:03 PST
Next message: Hamid: "DoS Attacks, Detecting the Source, and Service Providers"
Previous message: Frederic Harster: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Joe Stewart: "Re: Speedera Ping, was "Packets from 255.255.255.255(80), etc.""
Reply: Joe Stewart: "Re: Speedera Ping, was "Packets from 255.255.255.255(80), etc.""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Joel Tyson" <jtysonat_private> wrote:

>I was receiving those yesterday, but not many today.  Has anyone been
>getting ICMP echo requests from strange addresses?  This past week on
>a couple of my firewalls, I am getting a cluster of ICMP packets all
>sent at the same time  from different ISP's.  I doubt is a DDOS, one
>of the addresses is even NASA.  Here is a sample:
>
>2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from
>63.218.7.130 on interface 0

My Snort sensor has logged similar activity, all directed at a single
box.  Like you, I initially thought it was a DDOS, but it doesn't last
long enough really to qualify.  Snort styles this activity as "Speedera
pings."

I haven't done a detailed search of the logs you provided, but at least
some of your source addresses are identical with the ones I see.  The
source address, for instance, of your first entry ( above ) is identical
with the source address in my fifth entry.  No two sources appear to be
the same, and I'm sure they're spoofed.

It is my understanding that "Speedera" is web service provider, and that
these pings can be used by large distributed websites to determine the most
efficient path from a webserver to a client, but that doesn't appear to be
the purpose here.  The target box is being used as a third-level DNS server,
and also hosts the namespace our PCs use.  I've replaced its IP address in
my logs, given below, with "our.MS.name.server".  The MAC address of this
box has also been altered.  The source MAC address is that of our border
router, so the packets are in fact coming from off site.

I'd sure like to know what this is all about, and would be most grateful
to anyone who could help.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:12.765915 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.15.251.198 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:61298 IpLen:20 DgmLen:84
Type:8  Code:0  ID:48385   Seq:13145  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:12.791274 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
208.185.54.14 -> our.MS.name.server ICMP TTL:53 TOS:0x0 ID:17890 IpLen:20 DgmLen:84
Type:8  Code:0  ID:36865   Seq:47645  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:12.798243 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
204.176.88.5 -> our.MS.name.server ICMP TTL:46 TOS:0xA0 ID:31706 IpLen:20 DgmLen:84
Type:8  Code:0  ID:49409   Seq:46907  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:12.842945 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.0.96.12 -> our.MS.name.server ICMP TTL:47 TOS:0xA0 ID:56163 IpLen:20 DgmLen:84
Type:8  Code:0  ID:60224   Seq:4014  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:12.856952 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
63.218.7.130 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:44016 IpLen:20 DgmLen:84
Type:8  Code:0  ID:27909   Seq:17511  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:12.914691 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
213.61.6.2 -> our.MS.name.server ICMP TTL:52 TOS:0xA0 ID:63660 IpLen:20 DgmLen:84
Type:8  Code:0  ID:24926   Seq:17431  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:13.014546 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
203.89.210.82 -> our.MS.name.server ICMP TTL:48 TOS:0x0 ID:49618 IpLen:20 DgmLen:84
Type:8  Code:0  ID:48197   Seq:4518  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:13.020304 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
216.74.133.194 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:36135 IpLen:20 DgmLen:84
Type:8  Code:0  ID:64317   Seq:52556  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:13.021201 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.14.117.10 -> our.MS.name.server ICMP TTL:47 TOS:0xA0 ID:20217 IpLen:20 DgmLen:84
Type:8  Code:0  ID:63564   Seq:44878  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:13.058894 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
66.28.255.130 -> our.MS.name.server ICMP TTL:45 TOS:0xA0 ID:64317 IpLen:20 DgmLen:84
Type:8  Code:0  ID:53505   Seq:48022  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:13.066203 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
202.160.241.130 -> our.MS.name.server ICMP TTL:45 TOS:0x0 ID:31955 IpLen:20 DgmLen:84
Type:8  Code:0  ID:28162   Seq:14725  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:13.085278 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
212.62.17.145 -> our.MS.name.server ICMP TTL:49 TOS:0xA0 ID:48367 IpLen:20 DgmLen:84
Type:8  Code:0  ID:60435   Seq:6285  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:22.781323 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.15.251.198 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:62578 IpLen:20 DgmLen:84
Type:8  Code:0  ID:48385   Seq:10587  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:22.797286 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
204.176.88.5 -> our.MS.name.server ICMP TTL:46 TOS:0xA0 ID:32630 IpLen:20 DgmLen:84
Type:8  Code:0  ID:49409   Seq:22845  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:22.856430 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.0.96.12 -> our.MS.name.server ICMP TTL:47 TOS:0xA0 ID:57206 IpLen:20 DgmLen:84
Type:8  Code:0  ID:60224   Seq:53679  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:22.870061 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
63.218.7.130 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:45703 IpLen:20 DgmLen:84
Type:8  Code:0  ID:27909   Seq:24170  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:22.929115 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
213.61.6.2 -> our.MS.name.server ICMP TTL:52 TOS:0xA0 ID:64617 IpLen:20 DgmLen:84
Type:8  Code:0  ID:24926   Seq:53528  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:22.981511 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
208.185.54.14 -> our.MS.name.server ICMP TTL:53 TOS:0x0 ID:18906 IpLen:20 DgmLen:84
Type:8  Code:0  ID:36865   Seq:18463  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:23.014251 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
203.89.210.82 -> our.MS.name.server ICMP TTL:48 TOS:0x0 ID:49935 IpLen:20 DgmLen:84
Type:8  Code:0  ID:48197   Seq:30118  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:23.024213 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
216.74.133.194 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:36597 IpLen:20 DgmLen:84
Type:8  Code:0  ID:64317   Seq:34381  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:23.033927 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.14.117.10 -> our.MS.name.server ICMP TTL:47 TOS:0xA0 ID:21857 IpLen:20 DgmLen:84
Type:8  Code:0  ID:63564   Seq:48977  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:23.071220 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
66.28.255.130 -> our.MS.name.server ICMP TTL:45 TOS:0xA0 ID:544 IpLen:20 DgmLen:84
Type:8  Code:0  ID:53505   Seq:30616  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:23.088269 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
202.160.241.130 -> our.MS.name.server ICMP TTL:45 TOS:0x0 ID:33666 IpLen:20 DgmLen:84
Type:8  Code:0  ID:28162   Seq:29064  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:23.132904 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
212.62.17.145 -> our.MS.name.server ICMP TTL:49 TOS:0xA0 ID:50292 IpLen:20 DgmLen:84
Type:8  Code:0  ID:60435   Seq:14224  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:32.785191 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.15.251.198 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:63781 IpLen:20 DgmLen:84
Type:8  Code:0  ID:48385   Seq:3933  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:32.801228 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
204.176.88.5 -> our.MS.name.server ICMP TTL:46 TOS:0xA0 ID:33567 IpLen:20 DgmLen:84
Type:8  Code:0  ID:49409   Seq:61502  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:32.810554 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
208.185.54.14 -> our.MS.name.server ICMP TTL:53 TOS:0x0 ID:19885 IpLen:20 DgmLen:84
Type:8  Code:0  ID:36865   Seq:50464  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:32.868043 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.0.96.12 -> our.MS.name.server ICMP TTL:47 TOS:0xA0 ID:58205 IpLen:20 DgmLen:84
Type:8  Code:0  ID:60224   Seq:32433  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:32.871876 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
63.218.7.130 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:47376 IpLen:20 DgmLen:84
Type:8  Code:0  ID:27909   Seq:28269  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:32.935991 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
213.61.6.2 -> our.MS.name.server ICMP TTL:52 TOS:0xA0 ID:65510 IpLen:20 DgmLen:84
Type:8  Code:0  ID:24926   Seq:21018  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:33.018747 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
203.89.210.82 -> our.MS.name.server ICMP TTL:48 TOS:0x0 ID:50322 IpLen:20 DgmLen:84
Type:8  Code:0  ID:48197   Seq:65190  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:33.030423 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
216.74.133.194 -> our.MS.name.server ICMP TTL:51 TOS:0xA0 ID:37054 IpLen:20 DgmLen:84
Type:8  Code:0  ID:64317   Seq:8526  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:33.055875 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
64.14.117.10 -> our.MS.name.server ICMP TTL:47 TOS:0xA0 ID:23502 IpLen:20 DgmLen:84
Type:8  Code:0  ID:63564   Seq:50516  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:33.076153 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
66.28.255.130 -> our.MS.name.server ICMP TTL:45 TOS:0xA0 ID:1788 IpLen:20 DgmLen:84
Type:8  Code:0  ID:53505   Seq:12954  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:33.108021 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
202.160.241.130 -> our.MS.name.server ICMP TTL:45 TOS:0x0 ID:35358 IpLen:20 DgmLen:84
Type:8  Code:0  ID:28162   Seq:34955  ECHO

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
02/02-17:51:33.128276 0:1:64:73:31:4 -> AA:BB:CC:DD:EE:FF type:0x800 len:0x62
212.62.17.145 -> our.MS.name.server ICMP TTL:49 TOS:0xA0 ID:52177 IpLen:20 DgmLen:84
Type:8  Code:0  ID:60435   Seq:22931  ECHO

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Hamid: "DoS Attacks, Detecting the Source, and Service Providers"
Previous message: Frederic Harster: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Joe Stewart: "Re: Speedera Ping, was "Packets from 255.255.255.255(80), etc.""
Reply: Joe Stewart: "Re: Speedera Ping, was "Packets from 255.255.255.255(80), etc.""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 10:20:48 PST