RE: Distributed ICMP/UDP scan or attack?

From: Edward Beheler (edward.beheler@co.howard.in.us)
Date: 06/17/02


From: "Edward Beheler" <edward.beheler@co.howard.in.us>
To: <incidents@securityfocus.com>
Date: Mon, 17 Jun 2002 16:24:19 -0500

These scans show up on my IDS like this:

[**] [1:480:2] ICMP PING speedera [**]
[Classification: Misc activity] [Priority: 3]
06/13-08:38:18.651820 64.15.251.198 -> 63.254.234.169
ICMP TTL:50 TOS:0x0 ID:58844 IpLen:20 DgmLen:84
Type:8 Code:0 ID:39681 Seq:30247 ECHO

There is a thread discussing this issue here:
http://www.incidents.org/archives/intrusions/msg03580.html

There is an article about this here:
http://www.linuxsecurity.com/articles/firewalls_article-2064.html

Lots of information about the subject by asking google "speedera ping".

Edward Beheler
BOFH

-----Original Message-----
From: Jason Dixon [mailto:jasondixon@myrealbox.com]
Sent: Sunday, June 16, 2002 5:49 AM
To: incidents@securityfocus.com
Subject: Distributed ICMP/UDP scan or attack?

Hi all:

Please excuse me if this is a newbie question, I'm not sure how to go
about searching for answers on intrustion/scanner patterns and the like.
I noticed this series of scans/connections in my firewall log this
morning. The first thing that came to mind was the Bind 9
vulnerability, but there aren't any exploits available yet, IIRC.

As you can see, there was a series of three icmp queries followed by two
unsuccessful DNS connections. Has anyone seen this?

< Jun 15 15:47:31 dc0 208.185.54.14 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 64.15.251.198 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 213.61.6.2 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 207.235.98.194 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 64.0.96.12 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 209.240.77.130 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 65.119.25.162 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 204.176.88.5 -> x.x.x.x icmp
< Jun 15 15:47:32 dc0 64.14.117.10 -> x.x.x.x icmp
< Jun 15 15:47:32 dc0 212.62.17.145 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 64.15.251.198 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 208.185.54.14 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 213.61.6.2 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 207.235.98.194 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 64.0.96.12 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 209.240.77.130 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 204.176.88.5 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 65.119.25.162 -> x.x.x.x icmp
< Jun 15 15:47:43 dc0 64.14.117.10 -> x.x.x.x icmp
< Jun 15 15:47:43 dc0 212.62.17.145 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 208.185.54.14 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 64.15.251.198 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 213.61.6.2 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 207.235.98.194 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 64.0.96.12 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 209.240.77.130 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 65.119.25.162 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 204.176.88.5 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 64.14.117.10 -> x.x.x.x icmp
< Jun 15 15:47:53 dc0 212.62.17.145 -> x.x.x.x icmp
< Jun 15 15:48:01 dc0 208.185.54.14,1687 -> x.x.x.x,53 udp < Jun
15 15:48:01 dc0 64.15.251.198,32865 -> x.x.x.x,53 udp < Jun 15
15:48:01 dc0 213.61.6.2,17613 -> x.x.x.x,53 udp < Jun 15 15:48:01
dc0 207.235.98.194,54613 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0
64.0.96.12,50831 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0
209.240.77.130,39805 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0
65.119.25.162,3058 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0
204.176.88.5,8329 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0
64.14.117.10,4502 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0
212.62.17.145,54557 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
64.15.251.198,32865 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
208.185.54.14,1687 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
213.61.6.2,17613 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
207.235.98.194,54613 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
64.0.96.12,50831 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
209.240.77.130,39805 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
65.119.25.162,3058 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0
204.176.88.5,8329 -> x.x.x.x,53 udp < Jun 15 15:48:12 dc0
64.14.117.10,4502 -> x.x.x.x,53 udp < Jun 15 15:48:12 dc0
212.62.17.145,54557 -> x.x.x.x,53 udp

-- 
Jason Dixon
RHCE

------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Malicious web sites
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: [incident] IIS defacement through FTP, possible DoS
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: strange attacks - flood udp packets from 1030 to msql
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Can anyone identify this backdoor?
    ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ...
    (Incidents)
  • RE: Code Red Scan
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)