What is a Ping Attack?

Posted on 2003-10-23
Last Modified: 2008-03-10
I use PC-Cillin and it registers a huge number of "Ping Attacks" and a lot of "NetBIOS Browsing" records in the Firewall logs. These start almost from the instant I go on-line. What are they, where are these coming from and how much at risk am I? Thanks, Francois
Question by:FrankPalmer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 21

Expert Comment

ID: 9612378

Expert Comment

ID: 9612714

"Ping attacks" can be several things:

1) A malformed or over/undersized ping packet designed to cause damage
2) A lot of ping traffic in the form of noise on your network generated by users and applications (common on a large enterprise network...) which register a positive on the firewall or IDS
3) A worm like Nachi which uses ping as part of its propogation
4) An attempted denial of service attack whereby machines or bots which have been told to saturate a network connection or interface.

It really depends what is flicking PC-cillins switch in this respect and what is appropriate for your network. Have a look at the origins of the traffic - if you are a single PC connecting via a broadband connection then you are just registering ping-sweeps etc from the 'net. PC-cillin is dcropping them and logging them which is good. You may be able to turn the logging of that off in the console.

As to NetBIOS browsing. Windows machines use NetBIOS and as part of Microsoft networking they browse for printers and shares and machines and directories and shared internet gateways etc etc etc. This is normal. The reason that firewalls don't like it is because NetBIOS is a very good protocol to use for hacking. Windows machines used to just listen on all these NetBIOS ports and that posed a solid security risk. Things are better with the newer versions of windows but PC-cillin is just protecting you from unwanted probes. Again if these log entries are causing you problems then see if you can switch them off in the console.

Good luck - regards...


Accepted Solution

FlamingSword earned 20 total points
ID: 9614931
"What are they, where are these coming from and how much at risk am I?"

A "ping" is like a question: Are you there?"

It is useful for mapping netowrking topology, and assessing uptime and even throughput for networking. Unfortunately, it has been put to bad use by some people of ill intent, who want to intrude upon computers of other people, where they first run a series of these "Are you there" simple questions to locate candidates for later use. Taking this a step further, the little ping command is so tiny, it is relatively easy to send many of them at a time. Unfortunately, when some devices receive too many pings, too many questions, they may have such a difficult time processing them that they fail. When the quantity of pings directed at a single target PC, we call this a "Ping Attack".

Also unfortunately, some softwares like firewalls, to improve upon their own product marketing, may label any quantity of pings as a ping attack, so it is difficult to assess what lies behing any such marketing claim without taking it a step further, such as by personally monitoring the logs made of such pings. If you do so and see thousands of them coming at you from a single address, then you can be more assured that someone is indeed attacking you. However, if you see only a few, then there should be less concern about that, for the product that is giving you such a warning is merely pointing out that it is functioning. You mention one product, an A/V, (separate field), which I know little about since it is so incompatible with my other products that I won't run it.

The "NetBIOS Browsing" is used for Windows to map drives. This is a very large open hole in Windows. NetBios was never intended to be used for internet access. It permits far too many vulnerabilities. For a good discission, visit the GRC website. And make sure you are always updating Windows to close holes such as for RPC. See Microsoft about that. The warning about browsing for this is similar to the one about ping.  Someone may just be running some "Are you there" process, and not really aware that people can consider this intrusive, or in fact that they are running it. Or they could be looking for candidates for exploitation, maybe only a local reporter running some survey.

" how much at risk am I?" + "records in the Firewall logs"

You should be at little risk at all if you have your firewall set up to not pass any of the NetBios ports. First step is really to close all ports as a default condition, then open them one at a time when you find an application needs it to run successfully. You might also decide to never respond to pings, which makes it look like you are down or broken. You may be invisible or stealthed. Not the best of all worlds, but it can reduce the number of reapeats you get from people trying to count how many computers there are on the internet. There numbers will of course be a little smaller than the reality of the 'net.

In short, with the little info you have provided, I'd have to say that you seem to be at little risk.
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features


Expert Comment

ID: 9615011
Nice links, jvuz;    ferg-o, I think we agree that there appears little for FrankPalmer to be concerned about.

Expert Comment

ID: 9618495

Definately agreed - excellent description FlamingSword - would you mind if I used some of that for clients?

More and more we are going to see people asking these type of questions - as a security consultant I find it very hard to give explanations when I consider so much to be *a given*

LVL 32

Expert Comment

ID: 9623680
One thing,
wanabee hackers (script kiddies) use ping to identify victims, a normal ping from one computer isn't doing any harm as long as you have a good firewall to disable all future attacks.
Ping uses TCP, so it's waiting for an answer before it sends another package. Wich won't take your bandwidth to much.
If the script kiddie is sending UDP packages at you you should be more conserned, because they don't wait untill your computer answeres, so it can easely take all you bandwidth.

A ping attack is only harmfull if it's done by a DDoS attack, this means sending more packages than your download and upload can handle.

You might want to take a look at => so you can find out what a real DoS or DDoS attack is like.


p.s. DoS = Denial of Service
      DDoS = Distributed Denial of Service

Expert Comment

ID: 11497494
*** advertising removed by Netminder, Site Admin ***

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question