Stay Ahead With Linux Security News

security issuenetwork trafficdistributed pings

Understanding Distributed Pings and Their Effect on IDS Alerts

For a couple of weeks now some of you may have been seeing what looks like a ping scan from many hosts to your nameservers. Joe Stewert gave a very good explination of why this is happening in a recent . . . . For a couple of weeks now some of you may have been seeing what looks like a ping scan from many hosts to your nameservers. Joe Stewert gave a very good explination of why this is happening in a recent post to the INCIDENTS mailing list. His message is listed below. Test it out for yourself.:) Date: Tue, 5 Dec 2000 05:03:38 -0500 From: Joe Stewart To: INCIDENTS@ Subject: Source of Recent Distributed Pings Recently many people on incidents@ and snort-users@lists.sourceforge.net have reported distributed ping "floods". Previously these have been misattributed by myself and one other poster to Internap/pnap.net's network as part of their "Cogitator" system for network routing. However, after talking to their senior software engineer, and doing some additional research, I have discovered Internap is not the source of these packets. The true source of the pings is Speedera.net's "Global Traffic Management" system. It isn't a random or sequential sweep of the net; the pings only occur when you make a DNS lookup request for one of their load-balanced cache customers' websites They then use the latency results of the distributed pings to return the IP address of the cache with the fastest route to you. For example. if you connect to any one of the below nameservers using nslookup, and request the address for 'www.speedera.com', your IDS should instantly pick up pings from several servers at once to your IP address. SERVER-0.SJOSE.UUNET.SPEEDERA.NET 204.176.88.1 SERVER-0.LONDON.EXODUS.SPEEDERA.NET 212.62.17.141 SERVER-0.STERLING.EXODUS.SPEEDERA.NET 64.14.117.6 SERVER-2.SINGAPORE.SINGTEL.SPEEDERA.NET 202.160.241.132 SERVER-3.FRANKFURT.COLT.SPEEDERA.NET 213.61.6.5 SERVER-1.SCLARA.GLOBIX.SPEEDERA.NET 209.10.58.114 Or you can just open and the pings will hit your nameserver instead. Here is a signature for Snortthat will differentiate between the Speedera pings and hopefully most *nix pings. (Make sure to put the Speedera signature above the *nix and BSD ping signatures in your rules file, since both will also match) alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; ) -Joe -- Joe Stewart Information Security Analyst LURHQ Corporation -------------------- This email address is being protected from spambots. You need JavaScript enabled to view it. . Investigate the latest distributed pings that have set off IDS notifications linked to external DNS queries, affecting network functionality.. Network Monitoring, IDS Alerts, Distributed Pings, DNS Traffic, Security Concerns. . Anthony Pell

Dec 05, 2000 • Anthony Pell Firewalls