 statestress magnetPremium,Mod join:2002-02-08 Purgatory kudos:6 Host: Webhosting Android Sonic.net Washington & Balti.. UK Chat
| Seeing similar probesI started seeing something similar a few days ago, but hadn't had a chance to really dig into it - it was more of a nuisance than anything else since 404s were being returned to the requester:
"GET http://mail2.663.com.cn/include/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b?hash=C690597E4C4742D24207D2D400500D1C8CD549FEF8BD HTTP/1.0"
The logs show somewhere in the neighborhood of 40-50 entries per day from this particular IP address, sequentially walking the IPs that were assigned to the machine - each GET request with it's own unique hash.
After adding a rule to iptables I saw it send a dozen or so ping packets to see if the host was up:
... kernel: MAIL_RLY_TST : IN=eth0 ... SRC=222.216.28.135 ... PROTO=ICMP TYPE=0 CODE=0 ID=53782 SEQ=7
... kernel: MAIL_RLY_TST : IN=eth0 ... SRC=222.216.28.135 ... PROTO=ICMP TYPE=0 CODE=0 ID=53782 SEQ=8
And then nothing. So far. With so many script kiddies running what would appear to be "out-of-the-box" scripts against large netblocks, it sometimes makes me wonder if I should follow in the footsteps of CNN and the like and simply discard inbound ICMP requests.. |
 | Think twice before dropping traffic. I'm just a home user, but I have a pretty good-sized network I experiment with here (15 machines +/-). I run zero externally accessible services, but I'm on a cable modem and live in LA. The number of attacks is hard to believe (I average anywhere between one every 3 to 10 seconds). I used to just drop it all, but I found when I rejected everything instead, the number of attacks dropped by about 70%. I run strict rate limits on the rejections so no one can get much benefit from using my address as part of a reverse DDOS, but I haven't seen that even tried, yet (using my address anyway).
The only explanation I can come up with is that the automated attacks move on when they get a rejection, but try a few more times if nothing comes back - possibly hoping that the lack of a rejection indicates other "misconfigurations". RoadRunners arp blasters pretty much tell anyone with a clue what IP's are in use at any time. |