Preface: Echo reply without requestLogo -Internet Security Systems

Echo reply without request
advICE :Intrusions : 2000109
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Somebody is replying to your ping -- only you never sent out a ping request.

Details

The exact details are that an ICMP echo reply (type=0) packet was seen for which no corresponding request has been seen.

There are a number of reasons why these may be seen:

Firewall scanning
This technique can be used to scan systems behind a corporate firewall. Most corporate firewalls allow ping/echo repsonses to pass through. Otherwise, ping programs won't work correctly. However, when a router within the corporation attempts to forward the packet to a nonexistent host, it will send back an "unreachable" message back to the sender. In this manner, somebody can map the structure of the network behind a corporate firewall.
Trojan communication
ICMP traffic is a way of communicating with Trojan horse programs. This is effective because it passes through firewalls. One popular Trojan controlled by ICMP echoes have been the DDoS utilities that took down websites.

Lots of people have now taken up scanning for DDoS trojans. Therefore, you will likely occasionally see a scan for DDoS systems.

DoS
These are also used as a direct DoS mechanism. The goal is to flood you with traffic (especially traffic that pierces firewalls) in order to slow down you Internet connection.
spoof by-products
Somebody could be spoofing your IP address. They could be sending pings to a target claiming that these pings are from you. You will then see these replies. There is no way really to determine who is doing this.

Defense

This is probably not something that you need to worry about unless your system is on a corporate network behind a firewall.

False Positives

Some customers running the product on the same system as a proxy server may be experiencing false positives. We are currently investigating this situation, and will make a fix available as soon as possible. In the interim, if it is occurring often in your environment, you can safely ignore this issue because it is likely to be a false positive. To cause the product to no longer detect this intrusion, position the mouse pointer over the attack, click the right mouse button, and select "Ignore attack - This attack".

 more information
CERT: IN-99-07   Distributed Denial of Service Tools
A Tribe Flood Network master communicates with TFN daemons using ICMP echo reply packets.  
Detailed analysis of Tribal Flood Network  
 
Detailed analysis of stacheldraht distributed denial of service attack tool  
 

 parametric information
countThe number of echo replies seen

 configuration for this item
icmp.noechorequest.count3 The number of unsolicited echo reply packets to trigger this detection.
icmp.noechorequest.interval600 The time interval (in seconds) over which the packets are measured.

 
Version appeared: 2.0
Privacy Policy |  Copyright Info