[Dshield] routing 192.168...?

Daniel Cherton dcherton at aei.ca
Mon May 2 03:57:29 GMT 2005


Hi Stephane,

Yes it's a old one, what I am concern about is more why that address is 
showing as a source.
I doubt very much it is from inside my network since it is at 
home....and I am using another net...still...
I t append 28 times today, using the same private net I am using. I 
allow only 4 IP on my net and the address used
for the attack is lock. I am using a new router/firewall, how can it be 
false positive ?

Daniel



Stephane Grobety wrote:

>Hello Daniel,
>
>Source IP means nothing: this is a "ping of death" packet, an ICMP
>echo request with a size greater than 65536 bytes. As such, it doesn't
>expect a response as the targeted machine will crash as soon as the
>packed is received if it is vulnerable.
>
>Now, the ping of death attack is really, really an old one: it date
>back from the mid-90's. I doubt very much that enough vulnerable
>systems are still in operation for this attack to be used by anyone
>but the most newbie of the script kiddies. This leads me to think that
>what you're seeing is a false positive.
>
>Out of curiosity, is the source IP address used in your own internal
>network ?
>
>Good luck,
>Stephane
>
>Sunday, April 24, 2005, 12:12:20 AM, you wrote:
>
>DC> Hi,
>
>DC> I was looking at my firewall reports and noticed this line;
>
>DC> Apr/22/2005 15:31:12
>DC>  Ping of Death Detect src:192.168.1.10:2961 dst:my-internet-ip:42617 Packet Dropped
>
>
>DC> anybody knows how that is possible ? I would think someone using the 
>DC> same ISP is having fun !
>
>DC> Daniel.
>
>
>
>
>
>
>  
>



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 4/29/2005




More information about the list mailing list