[geeks] Ping of Death
Francois Dion
fdion at atriumwindows.com
Thu Feb 5 08:30:28 CST 2004
It could be one of many things, but just to name a few:
1- Social engineering - the person is trying to get some privileged
information about your network infrastructure. Once you tell them you
have no idea what you are talking about, they'll ask for details on your
setup, what model router etc.
2- Advanced Hacker - somebody is using a fake IP that just happen to be
yours (I'm assuming you have a static IP), and is intercepting the
responses that should go back to you
3- Clueless Hacker - you are on dynamic IP, and somebody is using the
same ISP as you and trying to run programs like nmap and got assigned
the IP you currently have.
4- Hardware failure - Malfunctioning equipment somewhere
5- Script kiddie - Somebody running one of those tools that does brute
force everything, with a bit of IP spoofing for good measure. I have
thousands of hits on my IDSes from these. Eventually you refine your
rules to look at the bigger threats only.
6- Misconfiguration - IT pro misconfigured his IDS and is getting a
false positive
7- so on and so forth
More than likely, it is 5 and the "IT professional" (that just finished
his cisco class at the local TCC) just figured out how to run Openview
with his ids box or something like that and is pursuing every entry in
the log as if they were legit attacks.
It would still be a good idea to run an IDS (any old PC with a nic will
do) on the outside (promiscuous stealth mode - using a hub and read only
cable - I recommend running Solaris 9 x86 on it) and then get something
simple like ntop running on one of your solaris box. Then at least you
have logs to review. Solaris also has snoop which you could log and then
review if you want to try that. The ideal is to run an IDS inside and
outside, and log to a common database, and then look for patterns using
a software package (if you pick up inbound activity both outside and
inside, your router is compromised or not set up right).
Ciao,
Francois
Michael Schiller wrote:
> Hi All.
>
> I've got a quick question that I hope somebody can give me some
> pointers on. I got an email today saying that my machine is attacking a
> router with the ping-of-death. I'm running Sol9 on 2 machines, OSX
> 10.3.2 on 2 machines, and XP on my PC, and was wondering first off if
> this guy is telling me the truth, that my IP is in fact attacking his,
> and secondly if so, which of my machines should I check first? Oh, all
> these machines are behind a linksys cable router. Below is a part of
> his message:
>
>
>
> I am an IT professional. Recently, one of the routers I maintain
> started logging ping of death attacks from your IP address. Below is a
> sample of the log.
>
>
> Feb/05/2004 01:47:40
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:43:24
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:41:16
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:40:13
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:39:40
>
>
> Any help with this would be appreciated, as I really haven't kept up
> with this stuff, and at the moment I'm too tired to start tearing into
> all my machines without knowing which one to look at first, and what to
> look for. Thanks!
>
>
>
> -Mike
> *-------------------------------------------------------------------*
> * PGP fingerprint= D2 4F A8 B7 13 D5 73 1E 48 99 40 99 F9 BC 74 74 *
> * Email:schiller at nospam.agrijag.com \|||/ http://www.agrijag.com *
> * (o o) *
> *--------------------------------ooO-(_)-Ooo------------------------*
> _______________________________________________
> GEEKS: http://www.sunhelp.org/mailman/listinfo/geeks
More information about the geeks
mailing list