Re: ICMP question

• Previous message: Yvan Boily: "RE: Web apps code testing"
• In reply to: cc: "ICMP question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Mar 2004 22:59:22 -0300
To: cc <cc@belfordhk.com>, Security Basics <security-basics@securityfocus.com>

At 11:46 19/03/2004 +0800, cc wrote:

>My firewall has been receiving an inordinate amount of ICMP
>pings from external systems.

All systems from the same network, or what?

>The strange thing about this
>is that the ICMP packets coming to my firewall are actually
>ICMP responses and not requests.

This is usual for smurf attacks.

>I've looked at the logs (snort) and noticed that some
>of these pings originate from *.cirn.net. Has anyone
>heard of this network?

Have a look at http://www.dshield.org , may be they have.

>And then, some of these pongs contains a payload
>which has the message "Please help me, matrix catch me".
>I've been googling and couldn't find anything.
>Does anyone have any idea what this ping response
>might be? A bot?

It depends on the amount of traffic, where all the packets come from, an
any other pattern the packets may have.

--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Yvan Boily: "RE: Web apps code testing"
• In reply to: cc: "ICMP question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Hping/Ping ... if I use tethereal to sniff for icmp packets to the host I'm ... I have a problem where my machine is dropping packets and pings ... 872 packets transmitted, 827 packets received, 5% packet loss ... (freebsd-net) Re: Ethernet issue: works one way but not another ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ... (freebsd-questions) Re: Update: UDP 770 Potential Worm ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ... (Incidents) Re: IDSIPS that can handle one Gig ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ... (Focus-IDS) Re: iptables and dhcp ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ... (comp.os.linux.networking)