mailing list archives
From: "Steve Crapo" <CrapoS () dor state fl us>
Date: Wed, 29 Dec 2004 17:49:29 -0500
Leif had some good points, and I would add that if have or you capture
some of the ICMP packets, look at the IP header and read the TTL value.
This will usually tell you how many routers the packet has crossed to
reach you. Caveats to this are some people configure their firewall not
to decrement the TTL value (this shouldn't throw your count off by much)
and if someone is spoofing the source address, they may very well use a
random TTL as well in their forged packet to throw people off.
Assuming this is not the case, you can then attempt to ping/trace route
back to them and see if the number of routers you cross to reach them
matched the number they took to reach you (you may need serveral
attempts at this to see if and how much variation in routes that you
take to get to them).
Most OS will use starting TTL with 32 (various *nix), 64 (various
*nix), 128 (most windows), 255 (Cisco, various *nix) although this
setting can be changed in most OS settings manually. This will also give
you a chance to (maybe) ID the OS of the sender, assuming they are not
attempting to mask it (botnets and viruses usually don't, hackers may be
more likely, in my experience).
If the TLL match in both directions, it may (grain of salt) not be
spoofed. If the TTL do not match is probably is (grain of salt)
Also you can look at the values of IP identification field, don't
fragment bit and ICMP identifier, sequence numbers and also the number
by which it increments by as clues for the senders OS. Google "OS
fingerprinting" and you can find many articles on that.
a good starting point.
What is the size of the packet? Is it 64K or large like 1500K or so?
What is the ICMP type and code, you may have to look at the hex dump at
offset 22 and 21 (assuming no IP options and ethernet2 frame type).
Type 8, code 0 is ICMP echo request
Type 0, code 0 is the ICMP reply
Some backdoors and DDoS tools use echo replies to send data. Are you
logging / monitoring outbound traffic as well?
Also look for a pattern in the frequency and timing in the source and
destination address. Do they seem to target one or two of your hosts or
networks, or does seem to be scanning the whole range in sequence or
random order? What other traffic is coming from or going to the sites
that are originating the ICMP traffic?
I would not be overly concerned about it, unless it is hurting your
bandwidth or system utilizations, but it is worth looking into.
cc <cc () belfordhk com> 12/23/2004 9:09:32 PM >>>
I've been monitoring my firewall logs, via. snort and ACID and
have noticed that I've been getting a lot of pings from
different IP addresses, but most from the 'pnap.net'
network. Between "Undefined Code" (as stated in Snort)
to the Ping that contains "Please Help Me. matrix catch me"
packet. Now I've shut down the ICMP capabilities; that
is, I've set my firewall to drop ICMPs.
My question is, has anyone received any of such pings
from the 'pnap.net' network? I've done some
basic checks on the particular IPs from this domain,
and since I'm quite a neophyte in the security business,
I don't know whether the source is spoofed or not.
Should I even be concerned about these pings?
Any help/advice appreciated.
And a Very Safe and Merry Christmas to you all!
- pings cc (Dec 28)
- <Possible follow-ups>
- Re: pings Steve Crapo (Dec 30)