Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Ping of Death..  (Read 6145 times)

8062282

  • Member
  • **
  • Posts: 64
Ping of Death..
« on: September 29, 2019, 08:28:37 PM »

Hi - Can anybody advise if this would be a valid IP address doing a Ping of Death. Do they still do these DoS attacks?


Ping of Death Attack: IN=br0 OUT=ppp1.1 SRC=192.168.1.9 DST=194.150.176.123 LEN=80 TOS=0x00 PREC=0x00 TTL=5 PROTO=ICMP TYPE=8 CODE=0 ID=21043 SEQ=5 MARK=0x4000007
Logged
Honesty is the first chapter in the book of wisdom...

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: Ping of Death..
« Reply #1 on: September 29, 2019, 10:55:26 PM »

Hi - Can anybody advise if this would be a valid IP address doing a Ping of Death. Do they still do these DoS attacks?


Ping of Death Attack: IN=br0 OUT=ppp1.1 SRC=192.168.1.9 DST=194.150.176.123 LEN=80 TOS=0x00 PREC=0x00 TTL=5 PROTO=ICMP TYPE=8 CODE=0 ID=21043 SEQ=5 MARK=0x4000007

Looking at that it look like its your own LAN host 192.168.1.9 that is doing the pinging.

Notice it says the traffic is coming from the br0 interface (the LAN) on the router and going OUT of ppp (the WAN).
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Ping of Death..
« Reply #2 on: September 30, 2019, 01:38:41 AM »

The "DST=194.150.176.123" is interesting. It is not 8062282's current IPv4 address but one belonging to Lancashire County Council.

Puzzling.  ???
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Ping of Death..
« Reply #3 on: September 30, 2019, 02:16:36 AM »

Bot hijack?
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

8062282

  • Member
  • **
  • Posts: 64
Re: Ping of Death..
« Reply #4 on: September 30, 2019, 07:12:41 AM »

Hi - I checked the IP & thought it was strange it was coming from the council. Hence me asking if it was a valid IP address. Thinking on, could it be some person sat in a library using the public computers?


Sent from my iPhone using Tapatalk
Logged
Honesty is the first chapter in the book of wisdom...

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Ping of Death..
« Reply #5 on: September 30, 2019, 07:15:30 AM »

Is it genuine, not a spoofed source IP address?

Responsible ISPs are supposed to implement BCP 38 to check for and prevent packets with spoofed source addresses from entering their networks. So that badness should not be happening nowadays if the word is getting through. I certainly do BCP 38 checking myself; I don’t allow packets to go out of my network if they have bogus source addresses, and I bin anything coming in if the source or dest address is obviously wrong in one of various ways. (This is OTT paranoia on my part, as my ISP does, I’m sure, do these checks anyway, but I don’t want to pay the costs of any junk traffic if it can be avoided.)
« Last Edit: September 30, 2019, 07:25:05 AM by Weaver »
Logged

8062282

  • Member
  • **
  • Posts: 64
Re: Ping of Death..
« Reply #6 on: September 30, 2019, 07:17:28 AM »

Hi - I have no idea. I know a lot of things can be hidden or changed. Strange it’s my own council
Logged
Honesty is the first chapter in the book of wisdom...

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Ping of Death..
« Reply #7 on: September 30, 2019, 07:29:11 AM »

I think it's more likely that something in your LAN was doing a traceroute (on Windows, using ICMP) to that IP address. That would explain the outbound direction and the low TTL. The detection as a "ping of death attack" is a false positive.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Ping of Death..
« Reply #8 on: September 30, 2019, 04:55:37 PM »

. . . it was coming from the council. Hence me asking if it was a valid IP address. Thinking on, could it be some person sat in a library using the public computers?

No, you've got that inverted. It is originating on your LAN and going to the local council.

I think ejs has proposed the most likely scenario.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

8062282

  • Member
  • **
  • Posts: 64
Re: Ping of Death..
« Reply #9 on: October 01, 2019, 08:29:04 PM »

No, you've got that inverted. It is originating on your LAN and going to the local council.

I think ejs has proposed the most likely scenario.


Is that bad? Should I be worried?
Logged
Honesty is the first chapter in the book of wisdom...

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Ping of Death..
« Reply #10 on: October 01, 2019, 10:57:40 PM »

Is that bad? Should I be worried?

No, please don't worry about it.

From my "poking about", starting with the destination IPv4 address that you showed, it is clear that someone very local to you (if it wasn't you), using a device connected to your LAN, had performed a speed test to an Ookla server based in Preston.

It is unfortunate that your modem/router sees the (legitimate) traffic and classifies it as a "Ping of Death", thus ensuring that one (or more) entry(ies) are logged.

I see a similar effect when I am connected to an IRC server. My ZyXEL VMG1312-B10A logs it as "SYN Flooding" and so I have become accustomed to seeing the warnings when I review the logfile, daily.

A four word summary: You are not alone.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

8062282

  • Member
  • **
  • Posts: 64
Re: Ping of Death..
« Reply #11 on: October 02, 2019, 06:01:06 AM »

Thanks B*cat. I do do the odd speed test so that answers that question 😄
Logged
Honesty is the first chapter in the book of wisdom...

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Ping of Death..
« Reply #12 on: October 02, 2019, 04:16:11 PM »

Some routers are so aggressive on anti ddos, e.g. on fritzboxes it was known that if you enabled their anti ddos (on by default), it would rate limit the tbb monitor pings.

There is even a discussion on openwrt right now where someone has picked up there is rate limit rules set by default that are dated back to adsl days and can be hit with normal traffic loads in 2019.  Generally I suggest disabling anti ddos type protections on routers, just make sure the basic default deny firewall is enabled.
Logged

8062282

  • Member
  • **
  • Posts: 64
Re: Ping of Death..
« Reply #13 on: October 03, 2019, 07:51:46 PM »

Some routers are so aggressive on anti ddos, e.g. on fritzboxes it was known that if you enabled their anti ddos (on by default), it would rate limit the tbb monitor pings.

There is even a discussion on openwrt right now where someone has picked up there is rate limit rules set by default that are dated back to adsl days and can be hit with normal traffic loads in 2019.  Generally I suggest disabling anti ddos type protections on routers, just make sure the basic default deny firewall is enabled.


Thanks for that. I'll have a poke about in my settings..
Logged
Honesty is the first chapter in the book of wisdom...

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Ping of Death..
« Reply #14 on: October 03, 2019, 10:17:03 PM »

Thanks for that. I'll have a poke about in my settings..

You are beginning to show a "curious kitteh" tendency!  :D

Have you previously mentioned the make & model of your modem/router? . . . I can't remember . . . If yes, I'm sure that someone will be able to tell you exactly where to find the configuration option.

Edited to add: Ah, I see it is a ZyXEL VMG8924-B10A --

Quote
I'm on my 3rd modem. I had a billion 7800DXL on ADSL & continued to use that when I was on BT ADSL. I them got a VMG3925-10B & now I'm using a VMG8924-B10A.

So login as "admin" (or "supervisor"), then take the "Security >>> Firewall >>> DoS" route and toggle the setting(s).
« Last Edit: October 03, 2019, 10:27:22 PM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.
Pages: [1] 2