WHAT DOES IT MEAN IF I AM GETTING PING ATTACKS DURING THE DAY FROM
165.203.174 USING PROTACOL ICMP AND THE SOURCE IP ADDRESS IS CHANGING
FREQUENTLY

---

Clarification of Question by moneypenny-ga on 21 Aug 2003 06:03 PDT

Ip address destination is 165.165.203.174 it changes from day to day

---

Request for Question Clarification by denco-ga on 21 Aug 2003 09:52 PDT

Howdy moneypenny,

Is it just the last set or last two sets of digits that are always
changing, in other words, are the first two sets of digits always
165.165.x.x, or is it the entire IP that changes frequently?

Thanks!  denco-ga

---

Clarification of Question by moneypenny-ga on 21 Aug 2003 23:42 PDT

IT IS ALWAYS THE LAST SET OF DIGITS THAT IS CHANGING
THE SOURCE OF LAST ATTACK IS 165.165.200.121
LAST ATTACK PING ATTACK
BYTES SENT 76,367
BYTES RECEIVED 343,159

---

Request for Question Clarification by sycophant-ga on 24 Aug 2003 04:43 PDT

Hi Moneypenny,

Are you using software to log these attacks? If so, what software?

How many of these attacks are being logged and how often?

Also, the byte counts you quote - are they from your logging software
or from the Windows network connection status window?

Regards,
Sycophant-ga

---

Clarification of Question by moneypenny-ga on 25 Aug 2003 05:45 PDT

I PICK IT UP ON TREND MICRO PC-CILLIN 2002'S PERSONAL FIREWALL LOGS
AND THIS IS GOING ON SINCE THE 31ST JULY ON A DAILY BASIS FOR AS LONG
AS I AM ON LINE

Howdy moneypenny!

The entire range of 165.165.x.x IPs belong to a Zambian Internet
Service Provider (ISP) called Telkom/SAIX which stands for South
African Internet eXchange.

You should send copies of the portions of your firewall logs that
deal with the ping attacks from any IPs that start with 165.165.
to their abuse email address:
abuse@saix.net

Include a brief explanation of the abuse (ping attacks) of their
system.  From their contact page, under Abuse Complaints:
http://www.saix.net/cgi-bin/saix_contacts.pl

"The Use Policy specifies the actions prohibited by the South African
Internet eXchange (SAIX), by users of the SAIX Network. SAIX reserves
the right to modify the Policy at any time, effective upon posting of
the modified Policy here. (http://www.saix.net/usepolicy.html)."

"Complaints regarding the following:

- Illegal Use 
- System or Network Security issues 
- eMail abuse 
- USENET abuse 
- SPAM"

You can also go to their "SAIX Enquiry Form" and send the same message
to them there.  Make sure you select "Abuse" in the Category area.
http://www.saix.net/cgi-bin/saix_enquiry.pl

If you need any clarification, feel free to ask.


Search Strategy:
Used the IP Whois tool at the "Sam Spade" website for the ownership
of the IP range in question, and then checked the SAIX website.
http://www.samspade.org/
http://www.saix.net/

Looking Forward, denco-ga

---

Request for Answer Clarification by moneypenny-ga on 26 Aug 2003 23:13 PDT

IF SOMEONE WAS SETTING UP MY SYSTEM NETWORK AND MADE HIMSELF MY
ADMINISTRATOR, IS IT POSSIBLE THAT HE COULD MADE THIS PINGATTACKS ON
ME. ACCORDING TO ME THIS GUY IS TO PASSIVE ABOUT MY CRYING FOR HELP ON
THIS THING, AND TO EAGER TO HELP ME WITH ALL KIND OF OTHER THINGS IN
MY BUSSINESS

---

Clarification of Answer by denco-ga on 27 Aug 2003 16:40 PDT

Howdy moneypenny,

It is possible that someone who has administrator access to a
network could be making these ping attacks on your network.

Someone who doesn't have such access could be doing it as well.

Someone who had administrator access could, and probably would
do far worse things to your network, if they were doing anything
at all.  If your computer person is being passive about the attacks,
it might be that that person is not all that concerned since 1) these
things happen, and 2) that is what the firewall is for, to prevent
something that happens all of the time from having any real impact
on your network.

Looking Forward, denco-ga

---

Request for Answer Clarification by moneypenny-ga on 28 Aug 2003 06:34 PDT

HI DENCO
THIS MORNING I HAD A PROBLEM CONNECTING TO MY PC AS IT WAS SAYING MY
DIAL-UP IS BEEN USING BY ANOTHER PC. AFTER A STRUGGLE WHEN I GOT
ACCESS TO MY PC I WENT TO MY PERSONAL FIREWALL LOG AND SAW THAT I GOT
PING ATTACKS SINCE 08H10 THIS MORNING AND I WAS NOT EVEN ON MY LINE. I
GOT CONNECTED 09H10. IS IT POSSIBLE THAT YOU CAN EXPLAIN THIS ONE TO
ME?

---

Request for Answer Clarification by moneypenny-ga on 28 Aug 2003 07:46 PDT

Is it possible my PC is detected by a worm? When I scan my PC I cannot
find any detected virusses on it.

---

Clarification of Answer by denco-ga on 28 Aug 2003 12:15 PDT

Howdy moneypenny,

If you have the latest updates to your virus scanning software, I doubt
you have a virus.  Make sure to have the latest virus signature file,
and rescan to make sure, but it doesn't really sound like a virus.

The discrepancy in time might be from the firewall software basing its
time on your system (hardware) clock versus the operating system time
(software).  I wouldn't be concerned about it.  Probably just some
setting difference.

It is easy to get overly concerned when one thing is happening, such
as a ping attack, to the point where you think more is wrong than just
that.  I think you are just getting some relatively small probes of
your system, which is not that unusual these days.

Looking Forward, denco-ga

Thank you I think I do understand some of this better now, as this was
freaking me out.

If you are receiving hundreds or thousands of these per minute, you
are probably the subject of an attack... otherwise this is just normal
on the Internet.  Somebody is just scanning the address range that you
are in and looking for machines that have no firewall or protection...

It really is nothing to worry about... afterall... this is just the
reason that you purchased the Norton Firewall product...

I suspect that the ISP (saix) is unlikely to do anything..  

Good luck,
    Bill...

Much thanks for the 5 star rating, moneypenny, and I hope you
are feeling a bit better about a troublesome situation.

Looking Forward, denco-ga