Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


What is a Ping Attack?

Posted on 2003-10-23
Medium Priority
Last Modified: 2008-03-10
I use PC-Cillin and it registers a huge number of "Ping Attacks" and a lot of "NetBIOS Browsing" records in the Firewall logs. These start almost from the instant I go on-line. What are they, where are these coming from and how much at risk am I? Thanks, Francois
Question by:FrankPalmer

Expert Comment

ID: 9612714

"Ping attacks" can be several things:

1) A malformed or over/undersized ping packet designed to cause damage
2) A lot of ping traffic in the form of noise on your network generated by users and applications (common on a large enterprise network...) which register a positive on the firewall or IDS
3) A worm like Nachi which uses ping as part of its propogation
4) An attempted denial of service attack whereby machines or bots which have been told to saturate a network connection or interface.

It really depends what is flicking PC-cillins switch in this respect and what is appropriate for your network. Have a look at the origins of the traffic - if you are a single PC connecting via a broadband connection then you are just registering ping-sweeps etc from the 'net. PC-cillin is dcropping them and logging them which is good. You may be able to turn the logging of that off in the console.

As to NetBIOS browsing. Windows machines use NetBIOS and as part of Microsoft networking they browse for printers and shares and machines and directories and shared internet gateways etc etc etc. This is normal. The reason that firewalls don't like it is because NetBIOS is a very good protocol to use for hacking. Windows machines used to just listen on all these NetBIOS ports and that posed a solid security risk. Things are better with the newer versions of windows but PC-cillin is just protecting you from unwanted probes. Again if these log entries are causing you problems then see if you can switch them off in the console.

Good luck - regards...


Accepted Solution

FlamingSword earned 80 total points
ID: 9614931
"What are they, where are these coming from and how much at risk am I?"

A "ping" is like a question: Are you there?"

It is useful for mapping netowrking topology, and assessing uptime and even throughput for networking. Unfortunately, it has been put to bad use by some people of ill intent, who want to intrude upon computers of other people, where they first run a series of these "Are you there" simple questions to locate candidates for later use. Taking this a step further, the little ping command is so tiny, it is relatively easy to send many of them at a time. Unfortunately, when some devices receive too many pings, too many questions, they may have such a difficult time processing them that they fail. When the quantity of pings directed at a single target PC, we call this a "Ping Attack".

Also unfortunately, some softwares like firewalls, to improve upon their own product marketing, may label any quantity of pings as a ping attack, so it is difficult to assess what lies behing any such marketing claim without taking it a step further, such as by personally monitoring the logs made of such pings. If you do so and see thousands of them coming at you from a single address, then you can be more assured that someone is indeed attacking you. However, if you see only a few, then there should be less concern about that, for the product that is giving you such a warning is merely pointing out that it is functioning. You mention one product, an A/V, (separate field), which I know little about since it is so incompatible with my other products that I won't run it.

The "NetBIOS Browsing" is used for Windows to map drives. This is a very large open hole in Windows. NetBios was never intended to be used for internet access. It permits far too many vulnerabilities. For a good discission, visit the GRC website. And make sure you are always updating Windows to close holes such as for RPC. See Microsoft about that. The warning about browsing for this is similar to the one about ping.  Someone may just be running some "Are you there" process, and not really aware that people can consider this intrusive, or in fact that they are running it. Or they could be looking for candidates for exploitation, maybe only a local reporter running some survey.

" how much at risk am I?" + "records in the Firewall logs"

You should be at little risk at all if you have your firewall set up to not pass any of the NetBios ports. First step is really to close all ports as a default condition, then open them one at a time when you find an application needs it to run successfully. You might also decide to never respond to pings, which makes it look like you are down or broken. You may be invisible or stealthed. Not the best of all worlds, but it can reduce the number of reapeats you get from people trying to count how many computers there are on the internet. There numbers will of course be a little smaller than the reality of the 'net.

In short, with the little info you have provided, I'd have to say that you seem to be at little risk.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Expert Comment

ID: 9615011
Nice links, jvuz;    ferg-o, I think we agree that there appears little for FrankPalmer to be concerned about.

Expert Comment

ID: 9618495

Definately agreed - excellent description FlamingSword - would you mind if I used some of that for clients?

More and more we are going to see people asking these type of questions - as a security consultant I find it very hard to give explanations when I consider so much to be *a given*

LVL 32

Expert Comment

ID: 9623680
One thing,
wanabee hackers (script kiddies) use ping to identify victims, a normal ping from one computer isn't doing any harm as long as you have a good firewall to disable all future attacks.
Ping uses TCP, so it's waiting for an answer before it sends another package. Wich won't take your bandwidth to much.
If the script kiddie is sending UDP packages at you you should be more conserned, because they don't wait untill your computer answeres, so it can easely take all you bandwidth.

A ping attack is only harmfull if it's done by a DDoS attack, this means sending more packages than your download and upload can handle.

You might want to take a look at => http://grc.com/dos/grcdos.htm so you can find out what a real DoS or DDoS attack is like.


p.s. DoS = Denial of Service
      DDoS = Distributed Denial of Service

Expert Comment

ID: 11497494
*** advertising removed by Netminder, Site Admin ***

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Spectre and Meltdown, how it affects me and my clients?
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question