Re: Simultanious ping from lots of different hosts.

From: Hubert BUT (xfer@but.pl)
Date: 10/30/01


Date: Tue, 30 Oct 2001 07:53:14 +0100 (CET)
From: Hubert BUT <xfer@but.pl>
To: Johannes Verelst <johannes@verelst.net>
Subject: Re: Simultanious ping from lots of different hosts.
Message-ID: <Pine.LNX.4.33.0110300748440.8331-100000@but.pl>

Hello....

These icmp packets may be something like rst and ack packets send from
random hosts from internet... We were working on them several months ago
with lcamtuf, who created special project called WTF and have written tool
for analyzing these packets, based on tcpdump (Passive 0s Fingerprinting =
p0f)...

Tool location: http://lcamtuf.coredump.cx/soft/p0f.tgz
Project info: http://lcamtuf.coredump.cx/wtf/

greets...

0x78666572

#$@#$@@%%%#&# [xfer][Hubert Pasternak] @#@!$#@!$^#$
$% [E-Mail: xfer@hert.org][Mobile: +48609928174] $#
##$% [ EP BUT Ltd. Network Security Specialist] #$@

On Mon, 29 Oct 2001, Johannes Verelst wrote:

> Hi,
>
> Today, my icmplogd showed that I was being pinged from a lot of different
> hosts. I got curious, because this is quite unusual on my machine, so I
> started a little investigation.
>
> First of all, the IP's ping all within the same second (syslog can't
> measure more accurate than that). There are several 'sweeps', ranging from
> 4 to 6 icmp_echo's. These sweeps started around one month ago, but with
> very low intensity. During the month intensity went up.
>
> I took one of the IP's and looked up the owner of the netblock. Pasting
> this into google gave a very interesting thread on the Snort-users
> mailinglist:
> http://archives.neohapsis.com/archives/snort/2000-11/0366.html. The most
> interesting part: this happened exactly 11 months ago, 28 november 2000.
> The list of hosts mentioned is partly the same as the IP's that I see,
> more specific:
>
> 208.185.54.14
> 204.176.88.5
> 207.235.98.194
>
> I have ICMP-fingerprinted the hosts with the utility xprobe, all of them
> gave the following OS fingerprint:
> Linux 2.2.x/2.4.5+ kernel
>
> exept for two ips:
> 204.176.88.5, h-213.61.6.2.host.de.colt.net
>
> These IP's give the following fingerprint:
> FINAL:[ 3Com SuperStack II Switch SWNBBSI-CF,11.1.0.00S38
> Nokia IPSO 3.2-2.3.1 releng 783-849
> Ricoh Aficio AP4500 Network Laster Printer
> Linux 2.0.x/2.2.x/2.4.x
> Shiva AccessPort Bridge/Router Software V.2.1.0 ]
>
> Those IP's also have port 80 open. A small HEAD gives:
> HTTP/1.0 200 OK
> Date: Mon, 29 Oct 2001 14:52:48 GMT
> Server: swcd/4.0.0003
> Connection: close
>
> So, does anybody know what this is? The strange thing is that almost a
> year ago (exactly 11 months) somebody got exactly the same 'probes'.
> Strangely enough, no tcp connections are made (i usually have udp logging
> disabled because there's a _lot_ of UDP traffic. I enabled it now to see
> if anything is happening). If anybody has any suggestions of how to be
> more paranoid, please let me know.
>
> Kind regards,
>
> Johannes Verelst
> --
> Unix is simple. It just takes a genius to understand its simplicity
> Make it idiot proof, and someone will make a better idiot.
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com