Whats it mean when I get "Pinged"?

CraigLC

What is this storage?
Joined
Jun 30, 2003
Messages
76
I use a Zone Alarm free firewall software and lately the amount of blocks it logs is off the hook. I am getting pinged by literally as many as 60 unique IP address on various ports within a half hour period. What does it mean? Is someone trying to hack me? Is there anyway i can fight back... like ping them back kind of thing since I have their IP address?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,332
Location
I am omnipresent
They're pings. More than likely a script kiddie or some kind of worm is scanning ports on your machine, and everyone else's on your subnet, for some kind of vulnerability.

If you've got an up-to-date firewall package and all your OS patches in place, and you aren't doing something silly with your internet connection, like running an IRC server or warez FTP site, you probably aren't a tempting or interesting target; there are easier fish to catch.

If you really want to, you can probably send a report back to the owner of the netblock that originated the pings (use an abuse@ email address, if you can nsloookup the originating domain). At the very least, port scanning by users rather than service providers is considered impolite. Some have rules against it as well.
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
A ping is just a test for echo sort of thing.
You ping to see if there is a responsive system at a specific IP address or machine name. It in itself isn't that harmful. Lots of them can cause network traffic to be higher. The problem is when something such as the worm finds your machine through the ping, it attempts the exploit to hack into your machine. So a ping just indicates someone wants to know that your IP address is a responsive system.
You firewall may be blocking the ping requests by not responding to them. Thus your machine will appear as an unresponsive machine and not available to exploit.
 

CraigLC

What is this storage?
Joined
Jun 30, 2003
Messages
76
Thanks for the info... may I ask was is nslookup? Can I put it in google or is it a website of its own?

The reason I originally chose the Zone labs firewall "Zone Alarm" is that if someone pings it, they dont get a responce back letting the hacker know that there is a computer there... Zone alarm gives no response giving the impression there is no computer there and taking just that much more time on the other end where each transaction has to time out :mrgrn: Anything I can do to make their lives a little more frustrating I am down for.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,332
Location
I am omnipresent
nslookup is a standard program for translating host names into IP addresses. If you're using 2000 or XP or any kind of *nix, drop to a shell prompt and do "nslookup [ip address]" and it should tell you the hostname for that IP, if it's known.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
It is being caused by Blaster or a variant. My ISP just shut down the 'ping' port on their network to reduce traffic that was causing everything to get messed up because of Blaster et. al.

C
 

CraigLC

What is this storage?
Joined
Jun 30, 2003
Messages
76
So Clocker... you are saying its other infected computers trying to attack mine? Does this mean as the msblaster and its children get taken care of here and there the pinging will stop? I used to get hit here and there once in awhile but 60 times in a half an hour is incredible! I have a real slow dial up account so them sending packets or trying to ping me is just slowing it down even more!
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
Doesn't shutting down the ping port cause problems with network oriented software like multi-player gaming and file sharing? Or no?

If no, then I would advise just asking your ISP to turn off that port too. Then the pings will never reach you.
 

SteveC

Storage is cool
Joined
Jul 5, 2002
Messages
789
Location
NJ, USA
Howell said:
Can you configure ZA to block pings but not log it?

I'm pretty sure you can. I think it's somewhere under the options, where you can tell it when to notify you, and what to log.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
Pinging is one of the ways Blaster and variants searches for other targets to infect. If you have a router than can drop pings or if you can configure ZA to drop them, you are less likely to be infected, I think, since you machine will appear to be dead (at least via Ping).

No pinging may cause problems for some games, but I doubt it. I have had my router configured to drop pings ever since I got it and never had a problem playing online games.

My ISP has acknowledged that no pinging may cause a problem for some in one way or another. They are only blocking pinging until the problem with Blaster can be gotten under control at which time the port blocking with be lifted.

C
 

Jan Kivar

Learning Storage Performance
Joined
Feb 3, 2003
Messages
410
Mercutio said:
Yeah, blocking ICMP packets is one of those big no-nos that just isn't supposed to be done.

What is "the" correct way to handle ICMP filtering? What should be allowed/denied? I tried googling a bit, but I didn't find anything useful (allow all/some/none, depending on the page)... Didn't see any "official" info.

Cheers,

Jan
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
blocking ICMP pings can really hurt when troubleshooting an internet conenction problem.. other than that I've not heard of any problems associated with it (I know I hear people saying that it may cause problems with games, but I have never heard which games or what problems.. I think it's just a myth)

The benefit of blocking ICMP pings can be obvious.. people(or viruses) looking to do mass port scans will often ping a host 1st.. if they can't ping it they will not go through the hassle of scanning ports on the computer and waiting for responses... they simply skip the host and move on...

blocking ICMP pings on an ISP level can often reduce traffic and thus potentially lower costs
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,332
Location
I am omnipresent
It's one thing to do it on an end-point network. There' blocking ping can enhance the security of your LAN. It's another thing completely if you're acting as the service provider for anyone else. I'd hate to have to troubleshoot a connectivity problem without access to basic tools like traceroute to my ISP.

Slashdot had an article a couple days ago in the Ask Slashdot section about the efficacy of "black box" firewalling devices, such as the Linksys WRT54G with builtin Zonealarm. There's some interesting discussion of network security there as well.

Sonicwall devices can be less than $100 on ebay and sometimes a PIX will sell for less than $500. Just thought I'd mention that. :)
 

Jan Kivar

Learning Storage Performance
Joined
Feb 3, 2003
Messages
410
I'm on a LAN. I've understood that I should allow:
  • [0] Echo Reply
    [8] Echo Request
    [11] Time Exceeded
    [30] Traceroute
    [33] IPv6 Where-Are-You
    [34] IPv6 I-Am-Here

for general connectivity (troubleshooting, like Merc mentioned). Anything else? I'm currently blocking all ICMP, but [0] in/out, [8] in, [11] in. [actually, those were default on my FW]

I get [10] Router Solicitation like once a minute, when I clear the "all ICMP blocking". I don't think I should reply to that (especially outside our LAN), right?

Cheers,

Jan
 
Top