Solved

What is a Ping Attack?

Posted on 2003-10-23
7
10,344 Views
Last Modified: 2008-03-10
I use PC-Cillin and it registers a huge number of "Ping Attacks" and a lot of "NetBIOS Browsing" records in the Firewall logs. These start almost from the instant I go on-line. What are they, where are these coming from and how much at risk am I? Thanks, Francois
0
Comment
Question by:FrankPalmer
7 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 9612378
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 9612714

"Ping attacks" can be several things:

1) A malformed or over/undersized ping packet designed to cause damage
2) A lot of ping traffic in the form of noise on your network generated by users and applications (common on a large enterprise network...) which register a positive on the firewall or IDS
3) A worm like Nachi which uses ping as part of its propogation
4) An attempted denial of service attack whereby machines or bots which have been told to saturate a network connection or interface.

It really depends what is flicking PC-cillins switch in this respect and what is appropriate for your network. Have a look at the origins of the traffic - if you are a single PC connecting via a broadband connection then you are just registering ping-sweeps etc from the 'net. PC-cillin is dcropping them and logging them which is good. You may be able to turn the logging of that off in the console.

As to NetBIOS browsing. Windows machines use NetBIOS and as part of Microsoft networking they browse for printers and shares and machines and directories and shared internet gateways etc etc etc. This is normal. The reason that firewalls don't like it is because NetBIOS is a very good protocol to use for hacking. Windows machines used to just listen on all these NetBIOS ports and that posed a solid security risk. Things are better with the newer versions of windows but PC-cillin is just protecting you from unwanted probes. Again if these log entries are causing you problems then see if you can switch them off in the console.

Good luck - regards...


0
 
LVL 3

Accepted Solution

by:
FlamingSword earned 20 total points
ID: 9614931
"What are they, where are these coming from and how much at risk am I?"

A "ping" is like a question: Are you there?"

It is useful for mapping netowrking topology, and assessing uptime and even throughput for networking. Unfortunately, it has been put to bad use by some people of ill intent, who want to intrude upon computers of other people, where they first run a series of these "Are you there" simple questions to locate candidates for later use. Taking this a step further, the little ping command is so tiny, it is relatively easy to send many of them at a time. Unfortunately, when some devices receive too many pings, too many questions, they may have such a difficult time processing them that they fail. When the quantity of pings directed at a single target PC, we call this a "Ping Attack".

Also unfortunately, some softwares like firewalls, to improve upon their own product marketing, may label any quantity of pings as a ping attack, so it is difficult to assess what lies behing any such marketing claim without taking it a step further, such as by personally monitoring the logs made of such pings. If you do so and see thousands of them coming at you from a single address, then you can be more assured that someone is indeed attacking you. However, if you see only a few, then there should be less concern about that, for the product that is giving you such a warning is merely pointing out that it is functioning. You mention one product, an A/V, (separate field), which I know little about since it is so incompatible with my other products that I won't run it.

The "NetBIOS Browsing" is used for Windows to map drives. This is a very large open hole in Windows. NetBios was never intended to be used for internet access. It permits far too many vulnerabilities. For a good discission, visit the GRC website. And make sure you are always updating Windows to close holes such as for RPC. See Microsoft about that. The warning about browsing for this is similar to the one about ping.  Someone may just be running some "Are you there" process, and not really aware that people can consider this intrusive, or in fact that they are running it. Or they could be looking for candidates for exploitation, maybe only a local reporter running some survey.

" how much at risk am I?" + "records in the Firewall logs"

You should be at little risk at all if you have your firewall set up to not pass any of the NetBios ports. First step is really to close all ports as a default condition, then open them one at a time when you find an application needs it to run successfully. You might also decide to never respond to pings, which makes it look like you are down or broken. You may be invisible or stealthed. Not the best of all worlds, but it can reduce the number of reapeats you get from people trying to count how many computers there are on the internet. There numbers will of course be a little smaller than the reality of the 'net.

In short, with the little info you have provided, I'd have to say that you seem to be at little risk.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:FlamingSword
ID: 9615011
Nice links, jvuz;    ferg-o, I think we agree that there appears little for FrankPalmer to be concerned about.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 9618495

Definately agreed - excellent description FlamingSword - would you mind if I used some of that for clients?

More and more we are going to see people asking these type of questions - as a security consultant I find it very hard to give explanations when I consider so much to be *a given*

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623680
One thing,
wanabee hackers (script kiddies) use ping to identify victims, a normal ping from one computer isn't doing any harm as long as you have a good firewall to disable all future attacks.
Ping uses TCP, so it's waiting for an answer before it sends another package. Wich won't take your bandwidth to much.
If the script kiddie is sending UDP packages at you you should be more conserned, because they don't wait untill your computer answeres, so it can easely take all you bandwidth.

A ping attack is only harmfull if it's done by a DDoS attack, this means sending more packages than your download and upload can handle.

You might want to take a look at => http://grc.com/dos/grcdos.htm so you can find out what a real DoS or DDoS attack is like.

LucF

p.s. DoS = Denial of Service
      DDoS = Distributed Denial of Service
0
 

Expert Comment

by:mgbyrne2004
ID: 11497494
*** advertising removed by Netminder, Site Admin ***
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now