Re: distributed-ping-attack test?

To: Paul Tod Rieger <prie@abl.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: distributed-ping-attack test?
From: Tim Sailer <sailer@bnl.gov>
Date: Mon, 14 May 2001 00:16:42 -0400
Message-id: <[🔎] 20010514001642.A3510@bnl.gov>
In-reply-to: <[🔎] E14z8eM-0006LR-00@www.abl.com>; from prie@abl.com on Sun, May 13, 2001 at 11:03:58PM -0400
References: <[🔎] E14z8eM-0006LR-00@www.abl.com>

On Sun, May 13, 2001 at 11:03:58PM -0400, Paul Tod Rieger wrote:
> I noticed a distributed "attack" and wondered, Who can I
> report this to when there are so many machines without
> names being used as "zombies"?  And you folks came to mind.

CERT, and, if any of the blocks are owned by .gov or .mil, CIAC and
the FBI.

> Quite a few of the IPs end in 3, 2, or 1 -- maybe they're
> routers?

Nah... there's no explaining numbering...

> Anyway, I find it rather entertaining, and for those who
> share my perverse sense of entertainment, I've put the
> unedited log entries at:

I'd at least send the logs to CERT. A lot of those numbers look
familiar, mostly from my recent bouts with the 'far east'. You
should see a lot more than just pings. 

Tim

> http://www.abl.com/opt/pings.txt
> 
> Tod
> abl.com
> 
> 
> May 13 18:43:09 www icmplogd: ping from [206.112.91.2]
> May 13 18:43:14 www icmplogd: ping from [208.45.133.3]
> May 13 18:43:15 www icmplogd: ping from virginia1.rb.adero.net [168.143.224.18]
> May 13 18:43:20 www icmplogd: ping from [63.240.8.4]
> May 13 18:43:33 www icmplogd: ping from [4.17.150.77]
> May 13 18:43:38 www icmplogd: ping from [63.209.38.3]
> May 13 18:43:49 www icmplogd: ping from [216.52.142.3]
> May 13 18:43:50 www icmplogd: ping from [64.240.25.3]
> May 13 18:44:07 www icmplogd: ping from [209.58.101.3]
> May 13 18:44:13 www icmplogd: ping from [212.78.162.3]
> May 13 18:44:13 www icmplogd: ping from [216.219.72.3]
> May 13 18:44:13 www icmplogd: ping from [195.7.62.3]
> May 13 18:44:14 www icmplogd: ping from [193.173.76.2]
> May 13 18:44:14 www icmplogd: ping from [195.68.80.1]
> May 13 18:44:33 www icmplogd: ping from [212.31.226.3]
> May 13 18:44:38 www icmplogd: ping from [195.54.95.3]
> May 13 18:44:42 www icmplogd: ping from [193.45.6.135]
> May 13 18:44:42 www icmplogd: ping from [213.11.3.2]
> May 13 18:44:57 www icmplogd: ping from [212.35.98.3]
> May 13 18:45:29 www icmplogd: ping from [194.133.52.3]
> May 13 18:45:35 www icmplogd: ping from [212.23.226.3]
> May 13 18:45:35 www icmplogd: ping from [195.191.163.2]
> May 13 18:45:35 www icmplogd: ping from [193.65.199.3]
> May 13 18:45:50 www icmplogd: ping from [212.0.102.3]
> May 13 18:45:50 www icmplogd: ping from Teleglobe.net [216.6.32.3]
> May 13 18:45:51 www icmplogd: ping from [210.175.183.8]
> May 13 18:45:56 www icmplogd: ping from co-location.adero-C1.iAsiaWorks.ne.kr [210.180.22.3]
> May 13 18:45:57 www icmplogd: ping from wellington1.rb.adero.net [203.79.87.3]
> May 13 18:46:02 www icmplogd: ping from [202.132.82.1]
> May 13 18:46:03 www icmplogd: ping from [216.72.192.2]
> May 13 18:46:11 www icmplogd: ping from [203.208.137.121]
> May 13 18:46:16 www icmplogd: ping from [203.111.108.3]
> May 13 18:46:20 www icmplogd: ping from [203.126.212.130]
> May 13 18:46:21 www icmplogd: ping from [202.167.98.2]
> May 13 18:46:21 www icmplogd: ping from [210.192.104.131]
> May 13 18:46:22 www icmplogd: ping from [210.192.103.2]
> [starts repeating]
> May 13 18:46:22 www icmplogd: ping from [206.112.91.2]
> May 13 18:46:22 www icmplogd: ping from virginia1.rb.adero.net [168.143.224.18]
> May 13 18:46:22 www icmplogd: ping from [63.240.8.4]
> May 13 18:46:27 www icmplogd: ping from [208.45.133.3]
> [continues until]
> May 13 19:04:38 www icmplogd: ping from [202.167.98.2]
> May 13 19:04:38 www icmplogd: ping from [210.192.104.131]
> May 13 19:04:38 www icmplogd: ping from [210.192.103.2]
> 
> [then starts up again, but with only 7 machines]
> May 13 19:23:44 www icmplogd: ping from [63.209.38.3]
> May 13 19:23:53 www icmplogd: ping from [216.139.209.6]
> May 13 19:24:14 www icmplogd: ping from [206.86.106.3]
> May 13 19:24:18 www icmplogd: ping from [216.91.63.3]
> May 13 19:24:18 www icmplogd: ping from [213.11.3.2]
> May 13 19:24:18 www icmplogd: ping from [210.192.104.131]
> May 13 19:24:18 www icmplogd: ping from [216.72.192.2]
> [for less than 2 minutes]
> May 13 19:24:59 www icmplogd: ping from [63.209.38.3]
> May 13 19:25:04 www icmplogd: ping from [216.139.209.6]
> May 13 19:25:14 www icmplogd: ping from [206.86.106.3]
> May 13 19:25:14 www icmplogd: ping from [216.91.63.3]
> May 13 19:25:14 www icmplogd: ping from [213.11.3.2]
> May 13 19:25:14 www icmplogd: ping from [210.192.104.131]
> May 13 19:25:14 www icmplogd: ping from [216.72.192.2]
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
Tim Sailer <sailer@bnl.gov> 
Cyber Security Operations
Brookhaven National Laboratory  (631) 344-3001

Reply to:

References:
- distributed-ping-attack test?
  - From: Paul Tod Rieger <prie@abl.com>

Prev by Date: distributed-ping-attack test?
Next by Date: Re: name server on firewall box?
Previous by thread: distributed-ping-attack test?
Next by thread: Firewall Builder 0.9.1
Index(es):
- Date
- Thread