Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Spoofed (?) BSD Pings

From: "Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>
Date: Mon, 27 Nov 2000 11:07:40 -0800
I stood Snort up on our LAN a couple of weeks ago, and immediately noticed
what I thought was an odd alert. At various times throughout the day Snort
would log a series of BSD pings all directed to the PDC, coming in at
essentially the same time, and from many different addresses.

Being aware of the -D switch in nmap, I suspected this was something
similar. However, I found it very odd that someone would go through so much
effort to hide where they are pinging from. I would not necessarily find a
single a ping coming into our subnet to be suspicious, but to see a dozen
coming in at once, from different IP's and all with the same TTL, uh, that
sets off an alarm. I have tried pinging back once after I saw this, and all
addresses were up and all had a reasonable TTL.

Up until this morning, all of the pings were directed at our PDC, but today
(shortly after another ping on the PDC) I got the first recorded set
directed to our Exchange Server.

I'm including the Snort alerts and packet information at the end of this
message. Any information as to what is going here would be appreciated.

Thanks!

[**] IDS152 - PING BSD [**]
11/27-07:58:25.887323 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
205.158.108.194 -> X.X.X.131 ICMP TTL:52 TOS:0x0 ID:57062
ID:411   Seq:63855  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:25.930132 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
209.240.77.130 -> X.X.X.131 ICMP TTL:49 TOS:0x0 ID:14205
ID:16031   Seq:33895  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:25.933852 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
64.27.29.2 -> X.X.X.131 ICMP TTL:51 TOS:0x0 ID:48576
ID:10381   Seq:42474  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:25.951254 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
216.117.57.66 -> X.X.X.131 ICMP TTL:50 TOS:0x0 ID:60244
ID:411   Seq:11252  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:25.972395 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
216.52.195.230 -> X.X.X.131 ICMP TTL:50 TOS:0x0 ID:182
ID:15953   Seq:52507  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:26.007851 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
216.52.125.38 -> X.X.X.131 ICMP TTL:51 TOS:0x0 ID:17102
ID:27951   Seq:1505  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:26.031195 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
216.52.189.26 -> X.X.X.131 ICMP TTL:51 TOS:0x0 ID:18653
ID:28442   Seq:13552  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:26.135822 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
63.251.143.2 -> X.X.X.131 ICMP TTL:47 TOS:0x0 ID:62812
ID:4905   Seq:49726  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:26.137062 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
213.174.196.130 -> X.X.X.131 ICMP TTL:39 TOS:0x0 ID:24934
ID:30168   Seq:14047  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:26.144037 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
203.197.88.130 -> X.X.X.131 ICMP TTL:47 TOS:0x0 ID:36519
ID:17004   Seq:59697  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:26.172749 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
202.132.53.2 -> X.X.X.131 ICMP TTL:48 TOS:0x0 ID:29763
ID:12674   Seq:24591  ECHO

[**] IDS152 - PING BSD [**]
11/27-07:58:26.282101 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
210.192.104.66 -> X.X.X.131 ICMP TTL:48 TOS:0x0 ID:60043
ID:15967   Seq:43377  ECHO

[**] IDS118 - MISC-Traceroute ICMP [**]
11/27-08:08:10.422142 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x42
204.29.239.23 -> X.X.X.131 ICMP TTL:1 TOS:0x0 ID:57856
ID:55747   Seq:3584  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.859191 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
209.68.217.194 -> X.X.X.134 ICMP TTL:56 TOS:0x0 ID:2381
ID:14573   Seq:51156  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.899269 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
206.190.24.162 -> X.X.X.134 ICMP TTL:46 TOS:0x0 ID:62924
ID:2830   Seq:43118  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.932693 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
208.185.109.130 -> X.X.X.134 ICMP TTL:47 TOS:0x0 ID:18945
ID:17476   Seq:28661  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.964065 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
204.71.35.136 -> X.X.X.134 ICMP TTL:48 TOS:0x0 ID:63234
ID:27172   Seq:46869  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.965349 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
216.148.216.2 -> X.X.X.134 ICMP TTL:51 TOS:0x0 ID:2425
ID:28168   Seq:17493  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.966703 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
208.185.54.14 -> X.X.X.134 ICMP TTL:49 TOS:0x0 ID:35325
ID:13788   Seq:23427  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.975908 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
207.230.26.34 -> X.X.X.134 ICMP TTL:41 TOS:0x0 ID:60451
ID:411   Seq:32304  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.977217 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
207.235.98.194 -> X.X.X.134 ICMP TTL:47 TOS:0x0 ID:52781
ID:20648   Seq:5837  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:46.986763 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
63.140.72.3 -> X.X.X.134 ICMP TTL:47 TOS:0x0 ID:3646
ID:411   Seq:22092  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:47.015983 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
64.245.120.2 -> X.X.X.134 ICMP TTL:54 TOS:0x0 ID:49159
ID:13897   Seq:61624  ECHO

[**] IDS152 - PING BSD [**]
11/27-08:14:47.039390 0:50:73:8:7B:6C -> 0:20:78:11:89:3A type:0x800
len:0x62
212.31.251.66 -> X.X.X.134 ICMP TTL:47 TOS:0x0 ID:15102
ID:27092   Seq:17295  ECHO

[**] IDS152 - PING BSD [**]
11/15-15:50:41.120660 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
210.192.104.66 -> X.X.X.131 ICMP TTL:48 TOS:0x0 ID:29213
ID:15967   Seq:46870  ECHO
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS152 - PING BSD [**]
11/27-07:58:26.282101 0:50:73:8:7B:6C -> 0:0:C0:7:E:DB type:0x800 len:0x62
210.192.104.66 -> X.X.X.131 ICMP TTL:48 TOS:0x0 ID:60043
ID:15967   Seq:43377  ECHO
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567
38 39 3A 3B 3C 3D 3E 3F                          89:;<=>?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I could continue with more of these, but I think that should be enough for
now... :)
Previous By Date Next
Previous By Thread Next

Current thread: