Re: Ping Flood - whats is mean when ....

To: Marcin Bednarz <mbednarz@student.uci.agh.edu.pl>
Cc: debian-security@lists.debian.org
Subject: Re: Ping Flood - whats is mean when ....
From: Kevin Buhr <buhr@telus.net>
Date: 18 May 2002 13:42:40 -0700
Message-id: <[🔎] 87it5l89xb.fsf@saurus.asaurus.invalid>
In-reply-to: <[🔎] Pine.GSO.4.44.0205181626200.28370-100000@student.uci.agh.edu.pl>
References: <[🔎] Pine.GSO.4.44.0205181626200.28370-100000@student.uci.agh.edu.pl>

Marcin Bednarz <mbednarz@student.uci.agh.edu.pl> writes:
> 
> I was recently receiving very many of Ping Flood.
> In my logs:
> ....... kernel: PING Flood IN=eth1 OUT= .......

It's most likely an attack.

It could be a single machine sending packets with random, forged
source IP addresses.  Or, it could be several machines---cracked by
the attacker---that have *all* been directed to do this.

Alternatively, it may be a so-called "smurf" attack.  This is where
someone sends ping requests to broadcast addresses forged as if they
came from your machine.  The broadcast addresses are directed to
networks of machines that are misconfigured to respond to broadcast
pings.  As a result, the attacker can send one ping request and
generate 50 or 60 packets of replies (which go to you because of the
forged source address of the request).  By pinging several of these
misconfigured networks at a reasonable rate, the attacker hopes to
overwhelm your host without a traffic burden on his or her end.

Try to google for "smurf" or "smurf attack", or take a look at:

        http://www.cert.org/advisories/CA-1998-01.html

for more information.  In particular, see the section titled
"Solutions for the Victim".

Note that the messages you are seeing are rate-limited---after the
first burst, they should appear at a maximum rate of once every 20
minutes or so.  You'll need to run "tcpdump" or a similar packet
dumping utility to see them all.  Then you'll be able to figure out
the rate they're coming in and whether the addresses look totally
random (in which case it's probably one of the first two kinds of
attack) or come from the same networks over and over (in which case
it's probably a smurf attack).

The bottom line is that you'll probably need to notify your upstream
provider (in this case, your university IT people) and have them
investigate.

-- 
Kevin Buhr <buhr@telus.net>

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Ping Flood - whats is mean when ....
  - From: Marcin Bednarz <mbednarz@student.uci.agh.edu.pl>

Prev by Date: Ping Flood - whats is mean when ....
Next by Date: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
Previous by thread: Ping Flood - whats is mean when ....
Next by thread: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
Index(es):
- Date
- Thread