geek-isms: ping flood

A ping flood on my DSL connection

A dedicated network admin

As a dedicated webmaster, and a true geek, I am trying to create a clean, straightforward network organization for bmt-online...

(What ? Does this strangely look like the beginning of my other article ? Ah, I am just fooling around.)

This is true enough, though. Over here, at bmt-online, I have two computers sharing the DSL connection. Bebbe is a regular PC with a quite modest configuration (PIII 800MHz) and acts as my server for mail, web and a few other services. FoneBone is my laptop and main work tool. Instead of using the connection sharing abilities of my OS, say, on Bebbe, I decided that I wanted a cleaner setup and got myself a little router-firewall-hub from Netgear. Not that I am a big fan of advertisement, but the little buddy does a good enough job that I want to the appropriate credit to Netgear.

Anyways. So I set up the router to handle my DSL connection on the one hand, and to share it to both PCs, adding a little firewall by-port filtering in the middle. The rules are simple: block all incoming traffic, including ICMP, while leaving the necessary ports open. These include http and smtp, imap and Ident, all on their default ports, plus a few webmail ports on some custom ports. Same goes on the outgoing side: block all ports except those I know I need to use. And when some application is unable to connect, I almost know for sure that it is trying to use a "non-standard" port. I know this is not a perfect setup, and that a port that is open without trying to know who is using it is a gaping security hole, but oh well. That's good enough for my purpose.

Logging the incoming activity

Not only can my little router open and close ports individually (plus a few other options), but it is also able to log traffic in a pretty fine tunable manner. In particular, I decided to log all bounced incoming traffic. Note that I am paranoiac or anything. Just thought it would be interesting to see whose trying to go through, and go through to what. It turned out that results where not only interesting, but also quite peculiar ! The size of the log file grew quite quickly (it is now 12MB big and growing), so that I needed to find some way to comb through and squeeze interesting statistics out of it.

As there wasn't any log analyzer adapted to the format I get from the little Netgear guy (or maybe I didn't look hard enough), I wrote my own little analyzer in C. As I said at the beginning of this geek-ism piece: I am a geek. When the tool was finally ready, I noticed a quite strange evolution in the pattern of incoming traffic.

I started to log on June 30^th 2003. Up until August 18^th 2003, blocked incoming traffic is mostly TCP:

  ** Blocked attempts by protocol **
  TCP : 3920 [50.75%]
  UDP : 2617 [33.88%]
  ICMP: 1187 [15.37%]

  ** Top 10 attempts by port **

   1. 137: 1694 [21.93%]
   2. ICMP: 1187 [15.37%]
   3. 139: 714 [9.24%]
   4. 135: 688 [8.91%]
   5. 445: 668 [8.65%]
   6. 3557: 557 [7.21%]
   7. 1434: 404 [5.23%]
   8. 4662: 378 [4.89%]
   9. 37852: 287 [3.72%]
  10. 17300: 183 [2.97%]

  231 other ports: 964 [12.48%]

  Analyzed 7724 inbound records in 0.30s (25746.67 records/s).
  Skipped 0 outbound records and 0 invalid records.

  There are 21023 entries in the resolver cache.
 

Now, starting on August 18^th, and for some reason that totally escapes me, there was a huge increase in the number of ping attempts to my IP address. The following report shows the overall stats from June 30^th to Sept. 12^th:

  ** Blocked attempts by protocol **
  TCP :  7784 [10.31%]
  UDP :  4605 [ 6.10%]
  ICMP: 63087 [83.59%]

  ** Top 10 attempts by port **

   1. ICMP: 63087 [83.59%]
   2. 137: 3204 [4.25%]
   3. 135: 1907 [2.53%]
   4. 445: 1247 [1.65%]
   5. 2334: 1143 [1.51%]
   6. 139: 922 [1.22%]
   7. 1434: 614 [0.81%]
   8. 3557: 557 [0.74%]
   9. 4662: 396 [0.52%]
  10. 17300: 302 [0.40%]

  491 other ports: 2097 [2.78%]

  Analyzed 75476 inbound records in 1.73s (43552.22 records/s).
  Skipped 2387 outbound records and 0 invalid records.

  There are 21023 entries in the resolver cache.
 

So, the traffic rised ten-fold, and that's almost exclusively accounted for by ICMP traffic. I can't really call that a DOS attack, as in the end, that's no more than a few ICMP echo requests per second, at most. It is just... weird.

But there's more. The next good question to ask is: Who is thus pinging me to death ? Well, my little log analysis tool does actually produce a few more stats. I added a little NS lookup service in it, and proceeded to sort the pingers by domain name and name. Results are quite interesting. For the full period from June 30^th to September 12^th, we have:

  ** Top 10 attempts by source **
  
   1. pcp559076pcs.rthfrd01.tn.comcast.net: 650 [0.86%]
   2. 161.58.176.160: 578 [0.77%]
   3. 195.6.68.30: 491 [0.65%]
   4. node-c-22a4.a2000.nl: 408 [0.54%]
   5. pl150.lodz.sdi.tpnet.pl: 306 [0.41%]
   6. adsl-67-124-128-105.dsl.sktn01.pacbell.net: 160 [0.21%]
   7. dsl-200-67-127-105.prodigy.net.mx: 156 [0.21%]
   8. adsl-63-198-115-243.dsl.snfc21.pacbell.net: 155 [0.21%]
   9. adsl-67-124-5-58.dsl.scrm01.pacbell.net: 152 [0.20%]
  10. adsl-67-124-44-234.dsl.pltn13.pacbell.net: 152 [0.20%]
  
  21005 other sources: 72268 [95.75%]
 

Not very conclusive, is it? There is no single main source of pings. Not even a very definite tendency of one provider to be the main source of pings. Granted, PacBell (SBC) has four entries in the top-10 but they are towards the bottom of the list. Besides that, there is that Mexican guy, the Polish guy, and the Dutch guy who have been tickling me a little, plus the dude on Comcast. Nothing fancy.

Oh but wait! Let's see what happens when we count attempts by domain! Maybe that will be more interesting:

  ** Top 10 attempts by domain **
  
   1. .pacbell.net: 60822 [80.58%]
   2. not resolved: 5888 [7.80%]
   3. .comcast.net: 721 [0.96%]
   4. .level3.net: 619 [0.82%]
   5. .a2000.nl: 412 [0.55%]
   6. .tpnet.pl: 374 [0.50%]
   7. .net.mx: 361 [0.48%]
   8. .t-dialin.net: 292 [0.39%]
   9. .rima-tde.net: 227 [0.30%]
  10. .dialsprint.net: 182 [0.24%]
  
  765 other domains: 5578 [7.39%]
 

Now that's more interesting. The one top source of bounced access to my home network is the PacBell (SBC) network… to which I belong! So, all those echo requests I am getting originate from a big number of machines, maybe 15000, all located on the same network as I am, and none really hitting me much more than the others.

Today, I contacted my ISP for an unrelated—but equally important, like, my DSL connection is down—issue and mentioned my findings to them. You'd think they would know about what goes on on their own network. Naaah. Nobody was able to tell me what was going on and what could cause such weird behaviour. So, as with the PHP and Apache issue, I am leaving this open, for anyone who has a reasonable explanation to chime in and let me know…

wed 2003-09-17