Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Ping Scan

From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 17 Sep 2001 19:25:21 +0200
Frank,

What you see here is probably a 'decoy scan'. A decoy scan is a type of
scan, which involves multiple IP addresses, which are fed to the
network-scanning tool as decoys. The real IP address of the malicious
computer attacker (or a machine he controls) will be among those. An IP
or IPs from your IP range where used to scan a site.

Since the Host the scan was trying to reach is not alive on the wire,
this means it did not answer the ARP request the last hop router issued,
the router have issued an ICMP Host Unreachable error message back to
the IP address that was trying/attempting to scan.

Because one of your IPs was among the IPs that were being used for the
decoy scan, you received one of these messages.


Now, this is NOT a ping scan. A ping scan is where you see ICMP Echo
Requests... not ICMP Host Unreachables.


For more on the subject you can see my paper "ICMP Usage in Scanning",
available from:
http://www.sys-security.com/html/projects/icmp.html
Especially Chapter 5 (5.3)

For ICMP Protocol Rule Base for Snort see:
http://www.sys-security.com/archive/snort/icmp_rules/ICMP_basic_plus


Hope this helps

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


-----Original Message-----
From: Frank Knobbe [mailto:FKnobbe () KnobbeITS com] 
Sent: ב 17 ספטמבר 2001 6:52
To: incidents () securityfocus com
Subject: Ping Scan

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

can anyone identify following Ping Scan tool?

I usually get a few of those 'ICMP unreachables' (supposedly coming
some IP's that don't exist/don't have servers). However, over the
last few days I've seen a drastic increase. Anyone seeing the same?

Regards,
Frank


[**] Ping Scan [**]
09/14-21:42:32.798231 204.255.169.37 -> x.x.x.x
ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
x.x.x.x:23547 -> 202.46.194.5:32165
TCP TTL:188 TOS:0x8 ID:30922 IpLen:20 DgmLen:40
Seq: 0x74832EB6  Ack: 0x10BDC00C
** END OF DUMP
00 00 00 00 45 08 00 28 78 CA 40 00 BC 06 78 CA  ....E..(x.@...x.
xx xx xx xx CA 2E C2 05 5B FB 7D A5 74 83 2E B6  Aj......[.}.t...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBO6WBaZytSsEygtEFEQL+4ACgy9+gy/XCiCGNj9+uffQOuiwsKusAn3bF
Fwl8Lkco5Mwsh9UJWA5UXjCY
=FT0J
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: