state
stress magnet
Premium,Mod
join:2002-02-08
Hampton, VA
clubs: 
Host:
Webhosting
Sonic.net
UK Broadband
Washington & Balti..
UK Chat
| Seeing similar probes
I started seeing something similar a few days ago, but hadn't had a chance to really dig into it - it was more of a nuisance than anything else since 404s were being returned to the requester:
The logs show somewhere in the neighborhood of 40-50 entries per day from this particular IP address, sequentially walking the IPs that were assigned to the machine - each GET request with it's own unique hash.
After adding a rule to iptables I saw it send a dozen or so ping packets to see if the host was up:
And then nothing. So far. With so many script kiddies running what would appear to be "out-of-the-box" scripts against large netblocks, it sometimes makes me wonder if I should follow in the footsteps of CNN and the like and simply discard inbound ICMP requests.. |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
| Think twice before dropping traffic. I'm just a home user, but I have a pretty good-sized network I experiment with here (15 machines +/-). I run zero externally accessible services, but I'm on a cable modem and live in LA. The number of attacks is hard to believe (I average anywhere between one every 3 to 10 seconds). I used to just drop it all, but I found when I rejected everything instead, the number of attacks dropped by about 70%. I run strict rate limits on the rejections so no one can get much benefit from using my address as part of a reverse DDOS, but I haven't seen that even tried, yet (using my address anyway).
The only explanation I can come up with is that the automated attacks move on when they get a rejection, but try a few more times if nothing comes back - possibly hoping that the lack of a rejection indicates other "misconfigurations". RoadRunners arp blasters pretty much tell anyone with a clue what IP's are in use at any time. |
|
