Is this actually a DOS attack?

Netgear security log shows normal traffic for most of the day but on occasion it will show a burst of activity like this (I have changed the destination address to xxx.xxx.xxx.xxx for privacy purposes)

Fri, 2008-02-01 10:29:07 - ICMP Packet - Source:205.234.160.30 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:07 - ICMP Packet - Source:77.67.121.84 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:07 - ICMP Packet - Source:4.79.66.195 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:07 - ICMP Packet - Source:4.78.240.103 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:07 - ICMP Packet - Source:216.218.219.38 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:07 - ICMP Packet - Source:64.152.34.33 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:08 - ICMP Packet - Source:216.112.33.75 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:08 - ICMP Packet - Source:77.67.121.84 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:08 - ICMP Packet - Source:4.79.66.195 Destination:xxx.xxx.xxx - [DOS]
Fri, 2008-02-01 10:29:08 - ICMP Packet - Source:38.99.9.25 Destination:xxx.xxx.xxx - [DOS]

This normally lasts for 10-15 seconds during which we may receive hundreds of ICMP packets in that time. It's not something that happens every day although it can happen up to a dozen times a day at random times. The source IP addresses appear to be located all over the world, certainly not places that we have any dealing with.

Is this actually a DOS attack or could it be something else? The Netgear router appears to be stopping the traffic so should we be worried? Is there anything we can do to prevent this?

Sorry about the multiple questions in one, they are all closely related though :)
ScorpioUltimaAsked:
Who is Participating?
 
DCenaculoConnect With a Mentor Commented:
It seams to me that it really is a DOS. Something like this: someone make a list of internet routers, then asks them something, modifying the source IP address and putting yours. All those routers will answer to you instead of the guy who have made the questions. All that traffic may make a DOS on your internet link. I think that your firewall is doing its work well and that you should not be worried about that.

I did a Ping to every IP address youve listed and all of them replayed. I think they are being used by someone to bother the others.

I think theres nothing you can do to prevent this besides get a new link to internet and have it ready to turn on in case of this one being attacked with a much bigger list of IPs. That internet backup link should have a different IP address.
0
 
DCenaculoCommented:
It only gives you the source IP ? What about the source port ?
0
 
DCenaculoCommented:
Without getting into vendor specifics, disable IP-directed broadcasts to all of your routers to keep your network healthy. Letting traceroute, ping, or any of the other ICMP messages into and through your network from the Internet is an invitation for network mapping, and it could lead to an attack.

You can protect your network from attack by implementing three simple network rules:

Allow pingCMP Echo-Request outbound and Echo-Reply messages inbound.
Allow tracerouteTTL-Exceeded and Port-Unreachable messages inbound.
Allow path MTUICMP Fragmentation-DF-Set messages inbound.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
ScorpioUltimaAuthor Commented:
Thanks for the replies :)

The data was copy/pasted from the log itself, there is no source port being captured. Unfortunately the Netgear is a home/small business device and does not support much in the way of rules - I believe all it offers is port forwarding. Default setting is to allow all outbound, block all inbound but I have opened specific ports 25 (Client has an Exchange server), 80, 443 and 3389 for specific purposes.
0
 
Press2EscCommented:
You are not getting a Denial Service - you are having others PING your IP address... Perhaps they are looking to to do your network harm.  If your turn your routers PING (ICMP) Off - the data will go away...  Looks like you have a webserver running on your network - check the log files and veify the webserver is not having any probs running..

P2E
0
 
DCenaculoCommented:
You can not tur off ICMP off on your routers. ICMP has a lot of commands. For instance, if any router in the internet is sending to much information to your router, your router will send (or receive if the preblem is your router sending to much information to the others) a ICMP source requench to the other router in a way that information will not be lost. This is only one example. Do not turn off ICMP, you may turn off some ICMP commands.

Please feel free to ask anything else, if you need mor help.
0
 
DCenaculoCommented:
Ping uses ICMP Echo request, and ICMP echo replay commands. I suggested on my sencond comment:

Allow pingCMP Echo-Request outbound and Echo-Reply messages inbound.
 This way you can ping the others, but they can not ping you. It's a good security practice.

Please feel free to ask anything else, if you need mor help.
0
 
Press2EscCommented:
I re-read the posting and with the noted frequency and duration of ICMP hits showing, I have to change my mind - I do believe it is a DoS attack.  To avoid the potential of further (ie deeper) probes into your network, I suggest turning off your ICMP/PING via the Netgears router's maintenance page...

Check under firewall/access/services, you can uncheck the "Ping" box next to the router's IP address (192.168.0.1) in the "Public LAN Server" address.  Also, check in the "Wan Setup" section and see if "Respond to ping on internet port" is unchecked.  Basically, as far as the internet is concerned, your network will appear to offline. Basically, the Ping/ICMP (bots, scripts, etc) inquiries will stop because - according to the PING response - your "network" is no longer online...

DC, I have yet to access any soho or commercial router that there was not a feature to control ICMP data.   As mentioned above, this fct is commonly used to make the router and the respective network behind it, to be stealth to WAN traffic.  

P2E
0
 
kenvacCommented:
This is called icmp pacakge flooding...diable ICMP package..By doing so it will also diable ping command.
0
All Courses

From novice to tech pro — start learning today.