[geeks] Ping of Death
Mike F
lists at ibrew.net
Thu Feb 5 06:36:35 CST 2004
Michael Schiller wrote:
> Hi All.
>
> I've got a quick question that I hope somebody can give me some
> pointers on. I got an email today saying that my machine is attacking a
> router with the ping-of-death. I'm running Sol9 on 2 machines, OSX
> 10.3.2 on 2 machines, and XP on my PC, and was wondering first off if
> this guy is telling me the truth, that my IP is in fact attacking his,
> and secondly if so, which of my machines should I check first? Oh, all
> these machines are behind a linksys cable router. Below is a part of
> his message:
>
>
>
> I am an IT professional. Recently, one of the routers I maintain
> started logging ping of death attacks from your IP address. Below is a
> sample of the log.
>
>
> Feb/05/2004 01:47:40
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:43:24
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:41:16
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:40:13
>
> Ping of Death Detect src:68.118.97.30:58898 dst:224.0.0.251:32644
> Packet Dropped
>
> Feb/05/2004 01:39:40
>
>
> Any help with this would be appreciated, as I really haven't kept up
> with this stuff, and at the moment I'm too tired to start tearing into
> all my machines without knowing which one to look at first, and what to
> look for. Thanks!
Hmm, as Jonathan noted, it looks fishy. the 224.0.0.0/8 address range is
reserved for multicast usage. I noticed this first off, but I don't know
Jack Squat about multicast, so I did some Googling and came up with:
"In any case, range 224.0.0.0 through 224.0.0.255 is reserved for local
purposes (as administrative and maintenance tasks) and datagrams
destined to them are never forwarded by multicast routers. Similarly,
the range 239.0.0.0 to 239.255.255.255 has been reserved for
"administrative scoping" (see section 2.3.1 for information on
administrative scoping)."
from the Linux Multicast HOWTO. So, it certainly does sound like the
traffic is either spoofed, and your address happened to be used, or it
may be simply some errant multicast traffic that is being stopped by his
router, but "ping of death" and multicast are 2 entirely different
beasts. So, give the "IT professional" a good whack with the clue bat :)
- Mike
More information about the geeks
mailing list