Which ping sends "ICMP echo" as payload?

Our web server is under attack for a long time now (at least several months). We get some 50000 ICMP Echo-request messages ("pings") per second. If I have a closer look at them, I can see that almost all of them have the payload text "ICMP echo". The pings come from about 60000 different IP addresses (which, of course, may be spoofed, but I don't think so. Different addresses show different sending patterns).

I checked various ping utilities: Windows ping, hrping, fping, psping, hping and nmap (all under Windows); all of them don't seem to create this payload.

Does anybody have any idea which utility includes this text as payload? I would like to get an idea what is going on. Are we under attack from a botnet? Upset users? Has someone (well, a whole lot of people) misconfigured their software?

Thanks for your help.

cxxl

Posted 2013-03-21T15:08:07.623

Reputation: 193

I wonder, if this question is not better suited for Server Fault... – mpy – 2013-03-21T17:01:15.113

Answers

Part of the answer is that many versions can do this. Many versions of “ping” support the “-p pattern” option:

-p pattern

You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.

References: 1, 2, and 3. So, for example, I expect that any compatible version of “ping” would interpret the command ping -p 49434D50206563686F … to send the payload you describe.

Notes:

Unfortunately, I cannot actually verify what that command will do, because I don’t currently have access to a system that supports that option.
Yes, it seems unlikely that somebody who is attacking you would do that. But you never know with crackers.

Scott

Posted 2013-03-21T15:08:07.623

Reputation: 17 653

50000 pings per second of course is an intended as denial of service attack and if it comes from 60000 different addresses it is undoubtedly from botnet.

Of course you must not answer to the ping requests (on server) or by firewalling them.

Luis Siquot

Posted 2013-03-21T15:08:07.623

Reputation: 294

It sure seems to be so. But if it's a botnet: why are the sending only some 10 bytes payload? If the want to DDoS me, I'd send a full payload of 1500 bytes. – cxxl – 2013-03-22T15:48:02.727

you are in the good way. I mean, asking why "ICMP echo" (which is imposible to google) and why 10 bytes. I can help just with hints and opinions. did you try to move yourdomain.com to a new IP, just to know if the pings follow the domain or the IP. Prehaps this was the IP of someone that his software checks for "internet conectivity", worst than that, perhaps that is the IP (or the domain) that someone (a bad one) choose to check "internet conectivity" even without the ownership. – Luis Siquot – 2013-03-22T16:33:58.867

-2

ICMP is Ping, we have ICMP, TCP, UDP...

If you need more info on ICMP have a look here: http://en.wikipedia.org/wiki/Ping_%28networking_utility%29

I think what we really need to know is what software you are reading this from. That way we can gather how it might read the packet compared to say the cmd prompt.

Although there is slightly more to it, http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

Austin T French

Posted 2013-03-21T15:08:07.623

Reputation: 9 766

I used tcpdump to capture the incoming packets from the network card. – cxxl – 2013-03-21T15:17:29.387

ICMP is far more than just ping (echo) -- see http://www.nthelp.com/icmp.html for a list of types.

– Flup – 2013-03-21T15:18:10.967

1Those are types and codes for ping requests. – Austin T French – 2013-03-21T15:44:41.140

TCPDump even explicitly states "echo requests" are in fact ping requests. To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'  http://www.tcpdump.org/tcpdump_man.html
 – Austin T French  – 2013-03-21T16:44:27.010