[Dshield] BIG Jump in Ping Sweeps

Frank Knobbe frank at knobbe.us
Mon Jan 8 16:30:01 GMT 2007


On Sun, 2007-01-07 at 11:13 -0500, Jeff Kell wrote:
> * ICMP echo requests (type 8 subtype 0),
> * raw ethernet packet length 74, IP packet length 60
> * IP sequence numbers are "increasing" but not sequential
> * ICMP request IDs are random
> * ICMP payload is all nulls (not any known standard scan/ping tool)
> * TTLs are believable (initial TTL probably 64, but TTLs consistent for
> a given source)
> * random but apparently spoofed sources (most samples answer ping
> themselves)
> * randomly distributed targets within the observed address block (not
> sequential scan)
> * does not appear at all in some IP blocks (not a totally random
> destination scan)
> * 1-4 attempts per scan within a few seconds
> * no follow-up traffic (if answered or not)
 
> The purpose is anybody's guess, but appears to be massive targeted
> reconnaissance, most likely fingerprinting the destinations.

Could it be a P2P beacon to find peers? 0's in PING payloads is likely a
custom ping routine, probably not too far fetched for a P2P app.

> With that said, I still have no idea "why" unless it was a DDoS against
> intrusion analysts' holiday plans :-)

Sorry to hear. Our consoles were relatively quiet :) Hope you still had
a great holiday season.

Cheers,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.sans.org/pipermail/list/attachments/20070108/05c89e42/attachment.bin 


More information about the list mailing list