[clug] NMAP Pings to x.x.x.224?

Alex Satrapa grail at goldweb.com.au
Wed Oct 27 23:17:36 GMT 2004

I've found a very curious trend in my snort logs recently - the pig 
reports that there are a large number of NMAP style ICMP pings (ie: 0 
byte length) to an address x.x.x.224 inside our /24 network:

21.06  5782  x.x.x.224   ICMP PING NMAP
15.47  4247  x.x.x.252   ICMP PING NMAP
15.44  4238  x.x.x.226   ICMP PING NMAP
11.55  3171  x.x.x.239   ICMP PING NMAP
10.72  2944  x.x.x.220   ICMP PING NMAP
  6.77  1858  x.x.x.94    ICMP PING NMAP
  6.32  1736  x.x.x.198   ICMP PING NMAP
  4.78  1312  x.x.x.72    ICMP PING NMAP
  0.79   216  x.x.x.244   ICMP PING NMAP

The curious thing is that these addresses are all non-existent 
machines. Snort is sitting on the firewall, listening to the 
Internet-side interface, so it's not missing anything. Perhaps whatever 
it is that's looking for victims really, really wants to find something 
at x.x.x.224, so it keeps looking there?

FWIW, the default rule is to drop all traffic that isn't explicitly 
accepted or rejected. Perhaps I should reject (as administratively 
prohibited) any traffic that isn't explicitly dropped or accepted?

Has anyone else seen this strange behaviour?


"If knowledge can create problems, it is not through ignorance that we 
can solve them."  --Isaac Asimov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 220 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/linux/attachments/20041028/77836db7/PGP.bin

More information about the linux mailing list