Ping of Death Detect

Question

Level 2

475 points

Ping of Death Detect

Just got this message (Log AttackLog) sent to me from my router. Does anyone know what this means?

Dec/30/2005 12:05:30
Ping of Death Detect src:85.178.95.102:33551........ Packet Dropped

Thanks Alan

eMacG4 700, Combo, 1GB Ram, 160GB HD, 120/250GB Maxtor FW, Lacie DVDRW, Mac OS X (10.4.3), iBookG4 933, (10.4.2), 640MB, AEBS, Blth, iPod mini, 4G 20GB iPod, iSight

Posted on Dec 30, 2005 6:00 PM

Reply

Answer 1

Dec 30, 2005 6:47 PM in response to Alan Ogata

A "Ping of Death" or "SYN flooding" attack is a type of DoS (Denial of Service) to send a large amount or a series of illegal TCP/IP packet to attack a network block(s) or a designated node(s).

The message is returned by your Firewall that reports to prevent such an attack.

If you want to know the mechanism of an illegal IP packet, for instance, find the CERT Advisory CA-1996-21.

Depending on the frequency or a number of other type of attacks, you may need to consider some type of a strategy, which is not a calm for users who have not dealt with a malicious attacker(s) or a bot/botarmy.

Normally, well-known Firewall systems protect your computer so you may ignore the attack.

Reply

Answer 2

Alan Ogata Author

Level 2

475 points

Dec 30, 2005 7:14 PM in response to Fumiaki Kawashima

So the "Packet Dropped" message means that the router prevented or stopped the so called "Ping of Death" or "SYN flooding" attack? My routers firewall was disabled (actually I'm not sure now under Advanced>Firewall "Firewall Rules" neither enable or disable seems to be selected) so I'm not sure if its on or off but for sure OS Tiger's firewall was on. Let's see if I have this figured out if I have the router's firewall on/enabled it protects my network whereas the computers firewall just protects the computer? If that's the case why did my router (firewall off/disabled) drop that packet?

Thanks Alan

Reply

Answer 3

Dec 30, 2005 7:32 PM in response to Alan Ogata

It is a "Ping of Death" and OS Tiger's firewall reported it because you state that your routers firewall was disabled.

Should I have the routers firewall on as well?

It will depend on user's policy on computer security. Mac OS X Tiger firewall is good enough but If you want to analyze about any attacks in detail, some router's advanced firewall may help. As an option, you may consider to use DoorStop X and Who's There Firewall Advisor after by disabling the original Apple Firewall and the routers firewall.

The IP address 85.178.95.102 is a net block which is owned by HanseNet Telekommunikation GmbH. The port number 33551 is not used. Probably, a fake 33551 on a client machine is misused when attempting to attack your node. If you would like investigate it further, send a good enquiry to abuse@hansenet.com with detailed log information and your IP address and port number being used thereat.

Reply

Answer 4

Alan Ogata Author

Level 2

475 points

Dec 30, 2005 7:43 PM in response to Fumiaki Kawashima

Fumiaki,

You have been very helpful. I think I will try and set up (enable) my routers firewall too as an extra precaution along w/Tiger's since it probably wouldn't hurt. Maybe I'll send an enquiry to abuse@hansenet.com as well.

Thanks for your assistance,
Alan

Reply

Answer 5

Dec 30, 2005 8:17 PM in response to Alan Ogata

You are quite welcome.

To be attacked by Ping of Death means mainly the followings.

1. Affected by a tool used by an attacker that enables some net blocks for attacks and not target your node.

2. No skilful attacker uses it.

3. Just a harassment by someone (if other attempts continue).

Season's greetings and regards

Message was edited by: Fumiaki Kawashima

Reply