Recently many people on incidents_at_securityfocus.com and
snort-users_at_lists.sourceforge.net have reported distributed ping "floods".
Previously these have been misattributed by myself and one other poster to
Internap/pnap.net's network as part of their "Cogitator" system for network
routing. However, after talking to their senior software engineer, and doing
some additional research, I have discovered Internap is not the source of
these packets.
The true source of the pings is Speedera.net's "Global Traffic Management"
system. It isn't a random or sequential sweep of the net; the pings only occur
when you make a DNS lookup request for one of their load-balanced cache
customers' websites They then use the latency results of the distributed
pings to return the IP address of the cache with the fastest route to you.
For example. if you connect to any one of the below nameservers using
nslookup, and request the address for 'www.speedera.com', your IDS
should instantly pick up pings from several servers at once to your IP
address.
SERVER-0.SJOSE.UUNET.SPEEDERA.NET 204.176.88.1
SERVER-0.LONDON.EXODUS.SPEEDERA.NET 212.62.17.141
SERVER-0.STERLING.EXODUS.SPEEDERA.NET 64.14.117.6
SERVER-2.SINGAPORE.SINGTEL.SPEEDERA.NET 202.160.241.132
SERVER-3.FRANKFURT.COLT.SPEEDERA.NET 213.61.6.5
SERVER-1.SCLARA.GLOBIX.SPEEDERA.NET 209.10.58.114
Or you can just open http://www.speedera.com/solutions/gtm.html and the
pings will hit your nameserver instead.
Here is a signature for Snort that will differentiate between the Speedera
pings and hopefully most *nix pings. (Make sure to put the Speedera signature
above the *nix and BSD ping signatures in your rules file, since both will
also match)
alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3a3b 3c3d
3e3f|"; depth: 100; itype: 8; )
-Joe
--
Joe Stewart
Information Security Analyst
LURHQ Corporation
--------------------
jstewart_at_lurhq.com
Received on Dec 06 2000
Intro
