Re: Simultanious ping from lots of different hosts.

From: Hubert BUT (xfer@but.pl)
Date: 10/30/01


Date: Tue, 30 Oct 2001 07:53:14 +0100 (CET)
From: Hubert BUT <xfer@but.pl>
To: Johannes Verelst <johannes@verelst.net>
Subject: Re: Simultanious ping from lots of different hosts.
Message-ID: <Pine.LNX.4.33.0110300748440.8331-100000@but.pl>

Hello....

These icmp packets may be something like rst and ack packets send from
random hosts from internet... We were working on them several months ago
with lcamtuf, who created special project called WTF and have written tool
for analyzing these packets, based on tcpdump (Passive 0s Fingerprinting =
p0f)...

Tool location: http://lcamtuf.coredump.cx/soft/p0f.tgz
Project info: http://lcamtuf.coredump.cx/wtf/

greets...

0x78666572

#$@#$@@%%%#&# [xfer][Hubert Pasternak] @#@!$#@!$^#$
$% [E-Mail: xfer@hert.org][Mobile: +48609928174] $#
##$% [ EP BUT Ltd. Network Security Specialist] #$@

On Mon, 29 Oct 2001, Johannes Verelst wrote:

> Hi,
>
> Today, my icmplogd showed that I was being pinged from a lot of different
> hosts. I got curious, because this is quite unusual on my machine, so I
> started a little investigation.
>
> First of all, the IP's ping all within the same second (syslog can't
> measure more accurate than that). There are several 'sweeps', ranging from
> 4 to 6 icmp_echo's. These sweeps started around one month ago, but with
> very low intensity. During the month intensity went up.
>
> I took one of the IP's and looked up the owner of the netblock. Pasting
> this into google gave a very interesting thread on the Snort-users
> mailinglist:
> http://archives.neohapsis.com/archives/snort/2000-11/0366.html. The most
> interesting part: this happened exactly 11 months ago, 28 november 2000.
> The list of hosts mentioned is partly the same as the IP's that I see,
> more specific:
>
> 208.185.54.14
> 204.176.88.5
> 207.235.98.194
>
> I have ICMP-fingerprinted the hosts with the utility xprobe, all of them
> gave the following OS fingerprint:
> Linux 2.2.x/2.4.5+ kernel
>
> exept for two ips:
> 204.176.88.5, h-213.61.6.2.host.de.colt.net
>
> These IP's give the following fingerprint:
> FINAL:[ 3Com SuperStack II Switch SWNBBSI-CF,11.1.0.00S38
> Nokia IPSO 3.2-2.3.1 releng 783-849
> Ricoh Aficio AP4500 Network Laster Printer
> Linux 2.0.x/2.2.x/2.4.x
> Shiva AccessPort Bridge/Router Software V.2.1.0 ]
>
> Those IP's also have port 80 open. A small HEAD gives:
> HTTP/1.0 200 OK
> Date: Mon, 29 Oct 2001 14:52:48 GMT
> Server: swcd/4.0.0003
> Connection: close
>
> So, does anybody know what this is? The strange thing is that almost a
> year ago (exactly 11 months) somebody got exactly the same 'probes'.
> Strangely enough, no tcp connections are made (i usually have udp logging
> disabled because there's a _lot_ of UDP traffic. I enabled it now to see
> if anything is happening). If anybody has any suggestions of how to be
> more paranoid, please let me know.
>
> Kind regards,
>
> Johannes Verelst
> --
> Unix is simple. It just takes a genius to understand its simplicity
> Make it idiot proof, and someone will make a better idiot.
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • [REVS] Sinit P2P Trojan Analysis
    ... A common tactic among Trojan writers is the multi-stage install. ... intermediary layer of 20 hosts that would point it to the real download ... Sinit, there is no central server that can be shut down. ... The packets Sinit uses in its discovery protocol were detected quickly by ...
    (Securiteam)
  • R: remapping IP addresses for inbound and outbound traffic
    ... I guess you can't do this, since a believe there is a single linux arp table. ... If you had hosts with unique IPs on both nets, that would be another story: you could use some sort of VPN or Bridge functionality. ... You could also be able to avoid packets passing through the bridged/VPNed interfaces thanks to iptables. ... Let one Linux box have two interfaces to IPv4 networks, ...
    (Linux-Kernel)
  • Re: bce packet loss
    ... hosts, but I wanted to thank everyone for all the fascinating ethernet BER ... Cabling seems fine as neither the switch nor the sysctl ... controller was able to receive all packets destined for this host. ... lost a few ports was a 10/100 switch and the hosts were already hard-coded ...
    (freebsd-net)
  • Re: hosts on bridged wlan can not reliably see each other
    ... all hosts on the wireless can get outside, ... packets transmitted, 3 packets received, 0.0% packet loss ... 05:40:28.486793 arp who-has 192.168.0.129 tell 192.168.0.12 ...
    (freebsd-current)
  • Re: Wireless wep crackin on windows
    ... > to gain access to packets encrypted with all other IV's? ... second version of WEPWedgie will do that). ... Use that piece for injecting portscans into the WLAN a la WEPWedgie. ... to inject exploit code against hosts that are likely to be vulnerable. ...
    (Pen-Test)