[clug] NMAP Pings to x.x.x.224?
grail at goldweb.com.au
Wed Oct 27 23:17:36 GMT 2004
I've found a very curious trend in my snort logs recently - the pig
reports that there are a large number of NMAP style ICMP pings (ie: 0
byte length) to an address x.x.x.224 inside our /24 network:
21.06 5782 x.x.x.224 ICMP PING NMAP
15.47 4247 x.x.x.252 ICMP PING NMAP
15.44 4238 x.x.x.226 ICMP PING NMAP
11.55 3171 x.x.x.239 ICMP PING NMAP
10.72 2944 x.x.x.220 ICMP PING NMAP
6.77 1858 x.x.x.94 ICMP PING NMAP
6.32 1736 x.x.x.198 ICMP PING NMAP
4.78 1312 x.x.x.72 ICMP PING NMAP
0.79 216 x.x.x.244 ICMP PING NMAP
The curious thing is that these addresses are all non-existent
machines. Snort is sitting on the firewall, listening to the
Internet-side interface, so it's not missing anything. Perhaps whatever
it is that's looking for victims really, really wants to find something
at x.x.x.224, so it keeps looking there?
FWIW, the default rule is to drop all traffic that isn't explicitly
accepted or rejected. Perhaps I should reject (as administratively
prohibited) any traffic that isn't explicitly dropped or accepted?
Has anyone else seen this strange behaviour?
"If knowledge can create problems, it is not through ignorance that we
can solve them." --Isaac Asimov
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 220 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/linux/attachments/20041028/77836db7/PGP.bin
More information about the linux