DDoS help!

From: Sebastian Ip (9scki@qlink.queensu.ca)
Date: 01/26/02 

From: Sebastian Ip <9scki@qlink.queensu.ca>
To: incidents@securityfocus.com
Date: Sat, 26 Jan 2002 13:06:46 -0500

Dear bugtraq

I am under a bit of a icmp flood right now. And i really would like to hear
what more experienced people have ot say about this.

I am actually experiencing nothing significant

tcpdump shows this:
 12:59:34.427801 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: icmp: echo request (frag 44560:1480@0+)
12:59:34.427801 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@50320+)
12:59:34.427801 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@51800+)
12:59:34.427801 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@53280+)
12:59:34.427801 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@54760+)
12:59:34.427801 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@56240+)
12:59:34.437800 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@57720+)
12:59:34.437800 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@59200+)
12:59:34.437800 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@60680+)
12:59:34.437800 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:1480@62160+)
12:59:34.437800 > d226-19-71.home.cgocable.net >
ct299951-b.edgewd1.ky.home.com: (frag 43565:368@63640)
12:59:34.457799 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: (frag 44560:1480@1480+)
12:59:34.477797 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: (frag 44560:1480@2960+)
12:59:34.507795 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: (frag 44560:1480@4440+)
12:59:34.537793 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: (frag 44560:1480@5920+)
12:59:34.557791 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: (frag 44560:1480@7400+)
12:59:34.587789 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: (frag 44560:1480@8880+)
12:59:34.617787 < port90.ds1-vj.adsl.cybercity.dk >
d226-19-71.home.cgocable.net: (frag 44560:1480@10360+)
12:59:35.087752 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
icmp: echo request (frag 58961:1480@0+)
12:59:35.267739 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@1480+)
12:59:35.317735 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@2960+)
12:59:35.377731 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@4440+)
12:59:35.467724 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@5920+)
12:59:35.557717 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@7400+)
12:59:35.657710 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@8880+)
12:59:35.747703 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@10360+)
12:59:35.847696 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@11840+)
12:59:35.937689 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@13320+)
12:59:35.947689 < 12-248-194-107.client.attbi.com >
d226-19-71.home.cgocable.net: icmp: echo request (frag 56714:1480@0+)
12:59:35.957688 < 12-248-194-107.client.attbi.com >
d226-19-71.home.cgocable.net: (frag 56714:1480@1480+)
12:59:35.977687 < 12-248-194-107.client.attbi.com >
d226-19-71.home.cgocable.net: (frag 56714:1480@2960+)
12:59:35.987686 < 12-248-194-107.client.attbi.com >
d226-19-71.home.cgocable.net: (frag 56714:1480@4440+)
12:59:35.997685 < 12-248-194-107.client.attbi.com >
d226-19-71.home.cgocable.net: (frag 56714:1480@5920+)
12:59:36.037682 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@14800+)
12:59:36.127675 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@16280+)
12:59:36.217669 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@17760+)
12:59:36.317661 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@19240+)
12:59:36.407655 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@20720+)
12:59:36.507647 < D5E02291.kabel.telenet.be > d226-19-71.home.cgocable.net:
(frag 58961:1480@22200+)

It seems that the icmp echo request causes my machine to generate a bunch of
icmp packets at another host!

What's going on?

Thanks

Sebastian Ip

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: paging all socket geniuses
    ... delay when WINS relays a request to DNS. ... or intermediate device blocks icmp *echo request* and blocks or does ...
    (comp.lang.lisp)
  • Re: OpenVPN works on one host on subnet, not others
    ... However I can't ping any other host on the subnet. ... > tcpdump: listening on de1 ... > hoover: icmp: echo request ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Stealth vs. Blocked
    ... > ICMP as a protocol provides more than just echo reply and echo request. ... you should expect an out-of-band FIN packet to be silently ... I understand what you are saying (I use nmap and nessus all the ...
    (comp.security.firewalls)
  • Re: Stealth vs. Blocked
    ... > ICMP as a protocol provides more than just echo reply and echo request. ... you should expect an out-of-band FIN packet to be silently ... I understand what you are saying (I use nmap and nessus all the ...
    (alt.computer.security)
  • Re: Disabling VLAN_HWTAGGING
    ... What I found is that VLAN tagged frames sent to the interface never get to ... though when an ICMP ping request gets to ng_eiface it ignores it. ... 10.2.0.1: icmp: echo request ... I can ping from the ng_eiface interface and it makes it tagged ...
    (freebsd-net)