[geeks] Ping of Death

Francois Dion fdion at atriumwindows.com
Thu Feb 5 08:30:28 CST 2004 

It could be one of many things, but just to name a few:
1- Social engineering - the person is trying to get some privileged 
information about your network infrastructure. Once you tell them you 
have no idea what you are talking about, they'll ask for details on your 
setup, what model router etc.
2- Advanced Hacker - somebody is using a fake IP that just happen to be 
yours (I'm assuming you have a static IP), and is intercepting the 
responses that should go back to you
3- Clueless Hacker - you are on dynamic IP, and somebody is using the 
same ISP as you and trying to run programs like nmap and got assigned 
the IP you currently have.
4- Hardware failure - Malfunctioning equipment somewhere
5- Script kiddie - Somebody running one of those tools that does brute 
force everything, with a bit of IP spoofing for good measure. I have 
thousands of hits on my IDSes from these. Eventually you refine your 
rules to look at the bigger threats only.
6- Misconfiguration - IT pro misconfigured his IDS and is getting a 
false positive
7- so on and so forth

More than likely, it is 5 and the "IT professional" (that just finished 
his cisco class at the local TCC) just figured out how to run Openview 
with his ids box or something like that and is pursuing every entry in 
the log as if they were legit attacks.

It would still be a good idea to run an IDS (any old PC with a nic will 
do) on the outside (promiscuous stealth mode - using a hub and read only 
cable - I recommend running Solaris 9 x86 on it) and then get something 
simple like ntop running on one of your solaris box. Then at least you 
have logs to review. Solaris also has snoop which you could log and then 
review if you want to try that. The ideal is to run an IDS inside and 
outside, and log to a common database, and then look for patterns using 
a software package (if you pick up inbound activity both outside and 
inside, your router is compromised or not set up right).

Ciao,
Francois

Michael Schiller wrote:

> Hi All.
>
> I've got a quick question that I hope somebody can give me some
> pointers on. I got an email today saying that my machine is attacking a
> router with the ping-of-death. I'm running Sol9 on 2 machines, OSX
> 10.3.2 on 2 machines, and XP on my PC, and was wondering first off if
> this guy is telling me the truth, that my IP is in fact attacking his,
> and secondly if so, which of my machines should I check first? Oh, all
> these machines are behind a linksys cable router. Below is a part of
> his message:
>
>
>
> I am an IT professional.  Recently, one of the routers I maintain
> started logging ping of death attacks from your IP address. Below is a
> sample of the log.
>
>
> Feb/05/2004 01:47:40
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:43:24
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:41:16
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:40:13
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:39:40
>
>
> Any help with this would be appreciated, as I really haven't kept up
> with this stuff, and at the moment I'm too tired to start tearing into
> all my machines without knowing which one to look at first, and what to
> look for. Thanks!
>
>
>
> -Mike
> *-------------------------------------------------------------------*
> * PGP fingerprint= D2 4F A8 B7 13 D5 73 1E  48 99 40 99 F9 BC 74 74 *
> * Email:schiller at nospam.agrijag.com \|||/    http://www.agrijag.com *
> *                                   (o o)                           *
> *--------------------------------ooO-(_)-Ooo------------------------*
> _______________________________________________
> GEEKS:  http://www.sunhelp.org/mailman/listinfo/geeks

More information about the geeks mailing list