Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

What is a Ping Attack?

Posted on 2003-10-23
Last Modified: 2008-03-10
I use PC-Cillin and it registers a huge number of "Ping Attacks" and a lot of "NetBIOS Browsing" records in the Firewall logs. These start almost from the instant I go on-line. What are they, where are these coming from and how much at risk am I? Thanks, Francois
Question by:FrankPalmer
LVL 21

Expert Comment

ID: 9612378

Expert Comment

ID: 9612714

"Ping attacks" can be several things:

1) A malformed or over/undersized ping packet designed to cause damage
2) A lot of ping traffic in the form of noise on your network generated by users and applications (common on a large enterprise network...) which register a positive on the firewall or IDS
3) A worm like Nachi which uses ping as part of its propogation
4) An attempted denial of service attack whereby machines or bots which have been told to saturate a network connection or interface.

It really depends what is flicking PC-cillins switch in this respect and what is appropriate for your network. Have a look at the origins of the traffic - if you are a single PC connecting via a broadband connection then you are just registering ping-sweeps etc from the 'net. PC-cillin is dcropping them and logging them which is good. You may be able to turn the logging of that off in the console.

As to NetBIOS browsing. Windows machines use NetBIOS and as part of Microsoft networking they browse for printers and shares and machines and directories and shared internet gateways etc etc etc. This is normal. The reason that firewalls don't like it is because NetBIOS is a very good protocol to use for hacking. Windows machines used to just listen on all these NetBIOS ports and that posed a solid security risk. Things are better with the newer versions of windows but PC-cillin is just protecting you from unwanted probes. Again if these log entries are causing you problems then see if you can switch them off in the console.

Good luck - regards...


Accepted Solution

FlamingSword earned 20 total points
ID: 9614931
"What are they, where are these coming from and how much at risk am I?"

A "ping" is like a question: Are you there?"

It is useful for mapping netowrking topology, and assessing uptime and even throughput for networking. Unfortunately, it has been put to bad use by some people of ill intent, who want to intrude upon computers of other people, where they first run a series of these "Are you there" simple questions to locate candidates for later use. Taking this a step further, the little ping command is so tiny, it is relatively easy to send many of them at a time. Unfortunately, when some devices receive too many pings, too many questions, they may have such a difficult time processing them that they fail. When the quantity of pings directed at a single target PC, we call this a "Ping Attack".

Also unfortunately, some softwares like firewalls, to improve upon their own product marketing, may label any quantity of pings as a ping attack, so it is difficult to assess what lies behing any such marketing claim without taking it a step further, such as by personally monitoring the logs made of such pings. If you do so and see thousands of them coming at you from a single address, then you can be more assured that someone is indeed attacking you. However, if you see only a few, then there should be less concern about that, for the product that is giving you such a warning is merely pointing out that it is functioning. You mention one product, an A/V, (separate field), which I know little about since it is so incompatible with my other products that I won't run it.

The "NetBIOS Browsing" is used for Windows to map drives. This is a very large open hole in Windows. NetBios was never intended to be used for internet access. It permits far too many vulnerabilities. For a good discission, visit the GRC website. And make sure you are always updating Windows to close holes such as for RPC. See Microsoft about that. The warning about browsing for this is similar to the one about ping.  Someone may just be running some "Are you there" process, and not really aware that people can consider this intrusive, or in fact that they are running it. Or they could be looking for candidates for exploitation, maybe only a local reporter running some survey.

" how much at risk am I?" + "records in the Firewall logs"

You should be at little risk at all if you have your firewall set up to not pass any of the NetBios ports. First step is really to close all ports as a default condition, then open them one at a time when you find an application needs it to run successfully. You might also decide to never respond to pings, which makes it look like you are down or broken. You may be invisible or stealthed. Not the best of all worlds, but it can reduce the number of reapeats you get from people trying to count how many computers there are on the internet. There numbers will of course be a little smaller than the reality of the 'net.

In short, with the little info you have provided, I'd have to say that you seem to be at little risk.
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Expert Comment

ID: 9615011
Nice links, jvuz;    ferg-o, I think we agree that there appears little for FrankPalmer to be concerned about.

Expert Comment

ID: 9618495

Definately agreed - excellent description FlamingSword - would you mind if I used some of that for clients?

More and more we are going to see people asking these type of questions - as a security consultant I find it very hard to give explanations when I consider so much to be *a given*

LVL 32

Expert Comment

ID: 9623680
One thing,
wanabee hackers (script kiddies) use ping to identify victims, a normal ping from one computer isn't doing any harm as long as you have a good firewall to disable all future attacks.
Ping uses TCP, so it's waiting for an answer before it sends another package. Wich won't take your bandwidth to much.
If the script kiddie is sending UDP packages at you you should be more conserned, because they don't wait untill your computer answeres, so it can easely take all you bandwidth.

A ping attack is only harmfull if it's done by a DDoS attack, this means sending more packages than your download and upload can handle.

You might want to take a look at => http://grc.com/dos/grcdos.htm so you can find out what a real DoS or DDoS attack is like.


p.s. DoS = Denial of Service
      DDoS = Distributed Denial of Service

Expert Comment

ID: 11497494
*** advertising removed by Netminder, Site Admin ***

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question