Security Incidents: Ping flood IPs

[Andre Kajita - Administrador da Rede <admin () CAMARASJC SP GOV BR>]

Greets,

Thanks to the tip from Joe Stewart I resolved all the hostnames -
something I don't normally do as a reverse lookup can reveal that
someone is looking you up - and found a testshelf-2.atl.pnap.net, a
few hosts from speedera.net/.com, one that gave host.domain.com and a
few that resolved back to Teleglobe.net.

Acording to the URL that Joe noted,
http://www.sans.org/y2k/102500.htm, and his quote:
"They're using coordinated pings from their nameservers to everyone
else's nameservers to determine the best routes for their network, and
triggering everyone's IDS in the process."  I guess that's what I was
hit by - the targed host is my main DNS server (my secondary was not
hit, yet) and it all fits together nice and snug, false alarm I guess.

I've attached the IPs (gzipped) that I was hit from if anyone wants to
take a look, I didn't publish them in the first place to avoid
revealing compromised machines but since that's apparently not the
case - have fun!

Andre.
--
Andre Kajita - Administrador da Rede <admin () camarasjc sp gov br>
Camara Municipal de Sao Jose dos Campos - SP
http://www.camarasjc.sp.gov.br

Attachment: pinged.txt.gz
Description: