What is a Ping Attack?

I use PC-Cillin and it registers a huge number of "Ping Attacks" and a lot of "NetBIOS Browsing" records in the Firewall logs. These start almost from the instant I go on-line. What are they, where are these coming from and how much at risk am I? Thanks, Francois
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


"Ping attacks" can be several things:

1) A malformed or over/undersized ping packet designed to cause damage
2) A lot of ping traffic in the form of noise on your network generated by users and applications (common on a large enterprise network...) which register a positive on the firewall or IDS
3) A worm like Nachi which uses ping as part of its propogation
4) An attempted denial of service attack whereby machines or bots which have been told to saturate a network connection or interface.

It really depends what is flicking PC-cillins switch in this respect and what is appropriate for your network. Have a look at the origins of the traffic - if you are a single PC connecting via a broadband connection then you are just registering ping-sweeps etc from the 'net. PC-cillin is dcropping them and logging them which is good. You may be able to turn the logging of that off in the console.

As to NetBIOS browsing. Windows machines use NetBIOS and as part of Microsoft networking they browse for printers and shares and machines and directories and shared internet gateways etc etc etc. This is normal. The reason that firewalls don't like it is because NetBIOS is a very good protocol to use for hacking. Windows machines used to just listen on all these NetBIOS ports and that posed a solid security risk. Things are better with the newer versions of windows but PC-cillin is just protecting you from unwanted probes. Again if these log entries are causing you problems then see if you can switch them off in the console.

Good luck - regards...

"What are they, where are these coming from and how much at risk am I?"

A "ping" is like a question: Are you there?"

It is useful for mapping netowrking topology, and assessing uptime and even throughput for networking. Unfortunately, it has been put to bad use by some people of ill intent, who want to intrude upon computers of other people, where they first run a series of these "Are you there" simple questions to locate candidates for later use. Taking this a step further, the little ping command is so tiny, it is relatively easy to send many of them at a time. Unfortunately, when some devices receive too many pings, too many questions, they may have such a difficult time processing them that they fail. When the quantity of pings directed at a single target PC, we call this a "Ping Attack".

Also unfortunately, some softwares like firewalls, to improve upon their own product marketing, may label any quantity of pings as a ping attack, so it is difficult to assess what lies behing any such marketing claim without taking it a step further, such as by personally monitoring the logs made of such pings. If you do so and see thousands of them coming at you from a single address, then you can be more assured that someone is indeed attacking you. However, if you see only a few, then there should be less concern about that, for the product that is giving you such a warning is merely pointing out that it is functioning. You mention one product, an A/V, (separate field), which I know little about since it is so incompatible with my other products that I won't run it.

The "NetBIOS Browsing" is used for Windows to map drives. This is a very large open hole in Windows. NetBios was never intended to be used for internet access. It permits far too many vulnerabilities. For a good discission, visit the GRC website. And make sure you are always updating Windows to close holes such as for RPC. See Microsoft about that. The warning about browsing for this is similar to the one about ping.  Someone may just be running some "Are you there" process, and not really aware that people can consider this intrusive, or in fact that they are running it. Or they could be looking for candidates for exploitation, maybe only a local reporter running some survey.

" how much at risk am I?" + "records in the Firewall logs"

You should be at little risk at all if you have your firewall set up to not pass any of the NetBios ports. First step is really to close all ports as a default condition, then open them one at a time when you find an application needs it to run successfully. You might also decide to never respond to pings, which makes it look like you are down or broken. You may be invisible or stealthed. Not the best of all worlds, but it can reduce the number of reapeats you get from people trying to count how many computers there are on the internet. There numbers will of course be a little smaller than the reality of the 'net.

In short, with the little info you have provided, I'd have to say that you seem to be at little risk.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Put Your Flow Data to Work

SolarWinds® Flow Tool Bundle combines three easy-to-download, easy-to-use flow analysis tools that can help you quickly distribute, test, and configure your flow traffic.

Nice links, jvuz;    ferg-o, I think we agree that there appears little for FrankPalmer to be concerned about.

Definately agreed - excellent description FlamingSword - would you mind if I used some of that for clients?

More and more we are going to see people asking these type of questions - as a security consultant I find it very hard to give explanations when I consider so much to be *a given*

Luc FrankenEMEA Server EngineerCommented:
One thing,
wanabee hackers (script kiddies) use ping to identify victims, a normal ping from one computer isn't doing any harm as long as you have a good firewall to disable all future attacks.
Ping uses TCP, so it's waiting for an answer before it sends another package. Wich won't take your bandwidth to much.
If the script kiddie is sending UDP packages at you you should be more conserned, because they don't wait untill your computer answeres, so it can easely take all you bandwidth.

A ping attack is only harmfull if it's done by a DDoS attack, this means sending more packages than your download and upload can handle.

You might want to take a look at => http://grc.com/dos/grcdos.htm so you can find out what a real DoS or DDoS attack is like.


p.s. DoS = Denial of Service
      DDoS = Distributed Denial of Service
*** advertising removed by Netminder, Site Admin ***
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.