"Ping of Death"

Hi, I noticed a lot of unusual activity on my broadband modem earlier so I checked my firewall's security log and it had this...

Denial of Service "Ping of Death" attack detected.

Time: 28/02/2008 21:04:35 (occured again at 21:23:58)
Security Type: Denial of Service
Severity: Major
Direction: Incoming
Protocol: ICMP
(Some other info but I'm not sure if it's safe to list it)

Description:
In a Ping of Death attack, the hacker uses a packet with a size that is larger than the normal standard. When your system encounters a packet of this size, it often crashes, hangs, or reboots.



As soon as I saw this I disconnected my internet for 20 minutes as I wasn't sure if my firewall was blocking the attack or not. When I reconnected it the same attack happened again.

Are there any security scans I should do following this?

Also, when I right click on the log for both attacks I get 2 options:

Back Trace
Stop All Active Responses

Can you tell me what the latter option does and when it should be used please.

I've checked my firewall's help files but can't see anything about it.

Chris

Hello Chris.


First of all, I need to inform you that some routers (especially those that use active security mechanisms or wireless ones) might trigger false attacks. As an example, let's take a wireless router that has WPA2 and TKIP protection. As TKIP assigns every data packet a separate encryption key, the packets become mutated and might be recognized as attacks.

However, in order for me to make sure this is the case, I will kindly ask you to send me copies of your firewall rules and logs, as well as an "ipconfig /all" output. I highly recommend you email me with these logs at alex_sarchiz@bullguard.com, instead of posting them on the forum. Here's what you need to do:

A.
- Go to Start > Run.
- Type: cmd
- Press the [Enter] key from your keyboard. This will open a command prompt window.
- Type: ipconfig /all
- Press [Enter] again.
- After the Windows IP Configuration is displayed, right click the command prompt window and choose "Select All".
- Press [Enter] and close the window.
- Create a new e-mail and place the mouse cursor in that new window.
- Press the Ctrl+V keys from your keyboard - this will paste the Windows IP Configuration into your email.

B.
- Open the BullGuard application and go to the Firewall section.
- Make sure the User Level is set to Advanced then go to the Logs tab.
- Right click inside the Logs window and select the option "Dump internal rules".
- This will create a new log on your desktop called "BgFwRules".
- Attach this log to the e-mail that contains the Windows IP configuration.

C.
- Right click again inside the Logs window and select the option "Explore logs folder".
- Locate the log created for today, in the window that appears.
- Copy the log to your desktop.
- Attach the log to the e-mail as well then submit the results to me for examination.

As for your other inquiries, here is what the two features actually do:

Back Trace - it traces all packets back to the sender, allowing you to find out sensitive information from the source (such as real IP address - in case of a spoof, real MAC, and so on).
Stop all Active Responses - the active response services or rules are a set of preconfigured instructions that will automatically trigger once an attack is detected. Think of it as UPnP for firewall. Using that function will stop all Active Responses from triggering.

If you have any other questions, you can contact us via the forum, Live Chat or email, at support@bullguard.com