Re: [fw-wiz] New Script Kiddie tool ?

From: H. Morrow Long (morrow.long@yale.edu)
Date: 08/23/02 

From: "H. Morrow Long" <morrow.long@yale.edu>
To: Peter Robinson <peter@securegateway.org>
Date: Fri Aug 23 12:40:02 2002

208.184.139.82 is 208.184.139.82.speedera.com
208.185.54.14 is 208.185.54.14.speedera.com

Speedera (www.speedera.com) is a streaming content delivery company.

I noticed that Snort added a new signature recently (in the last year)
called the 'speedera ping'.

It would appear that Speedera may be trying to gauge the QoS RTT between
one of their streaming servers and an endpoint by using the ICMP Echo
packets.

The Snort rule from the std snort db is:

icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; sid:480; classtype:misc-activity; rev:2;)

H. Morrow Long
University Information Security Officer
Yale University, ITS, Dir. InfoSec Office

Peter Robinson wrote:
>
> G/Day all
>
> Has any one seem this sort of probe ??
>
> It apears from all over the place and it seems to be spaced exactly 10
> seconds appart.
>
> I am assuming this is a tool of sorts..
>
> Source Address=208.184.139.82
> Aug 22 14:04:21 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
> Aug 22 14:04:31 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
> Aug 22 14:04:41 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
> Aug 22 14:04:51 Firewall 208.184.139.82 61.x.x.x----UDP 53
> Aug 22 14:05:01 Firewall 208.184.139.82 61.x.x.x----UDP 53
> Aug 22 17:00:03 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
> Aug 22 17:00:13 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
> Aug 22 17:00:23 Firewall 208.184.139.82 61.x.x.x----ICMP TYPE=8
> Aug 22 17:00:33 Firewall 208.184.139.82 61.x.x.x----UDP 53
> Aug 22 17:00:43 Firewall 208.184.139.82 61.x.x.x----UDP 53
>
> Source Address=208.185.54.14
> Aug 22 14:04:21 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 14:04:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 14:04:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 14:04:52 Firewall 208.185.54.14 61.x.x.x----UDP 53
> Aug 22 14:05:02 Firewall 208.185.54.14 61.x.x.x----UDP 53
> Aug 22 15:53:32 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:42 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:52 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 15:54:02 Firewall 208.185.54.14 61.x.x.x----UDP 53
> Aug 22 15:54:12 Firewall 208.185.54.14 61.x.x.x----UDP 53
> Aug 22 17:00:02 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 17:00:12 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 17:00:22 Firewall 208.185.54.14 61.x.x.x----ICMP TYPE=8
> Aug 22 17:00:32 Firewall 208.185.54.14 61.x.x.x----UDP 53
> Aug 22 17:00:42 Firewall 208.185.54.14 61.x.x.x----UDP 53
>
> Source Address=208.225.197.194
> Aug 22 15:53:35 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:45 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:55 Firewall 208.225.197.194 61.x.x.x----ICMP TYPE=8
> Aug 22 15:54:05 Firewall 208.225.197.194 61.x.x.x----UDP 53
> Aug 22 15:54:15 Firewall 208.225.197.194 61.x.x.x----UDP 53
>
> Source Address=208.254.18.130
> Aug 22 15:53:31 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:41 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:51 Firewall 208.254.18.130 61.x.x.x----ICMP TYPE=8
> Aug 22 15:54:02 Firewall 208.254.18.130 61.x.x.x----UDP 53
> Aug 22 15:54:11 Firewall 208.254.18.130 61.x.x.x----UDP 53
>
> Source Address=208.254.75.130
> Aug 22 15:53:32 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:42 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
> Aug 22 15:53:52 Firewall 208.254.75.130 61.x.x.x----ICMP TYPE=8
> Aug 22 15:54:02 Firewall 208.254.75.130 61.x.x.x----UDP 53
> Aug 22 15:54:12 Firewall 208.254.75.130 61.x.x.x----UDP
>
> Peter Robinson
> Senior Security Engineer - Sydney
> DeMorgan Information Security Specialists
> robinson_p@demorgan.com.au, www.demorgan.com.au,
> Tel. 1800 336 674
> Tel. +61 2 9929-0377
> Fax +61 2 9499 4885
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards