[TriLUG] [OT] odd output from ping

Andrew Perrin clists at perrin.socsci.unc.edu
Thu Mar 27 12:46:24 EST 2003 

I was just reading somewhere about a DDOS attack aganist the English
al-jazeera server. My best guess is that they've filtered out ICMP packets
at the router to avoid the possibility of a ping flood.

ap

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu


On Thu, 27 Mar 2003, Paul D. Boyle wrote:

> Hi All,
>
> I am using <ob linux>SuSE 7.3</ob linux>.  I was trying to connect to
> http://english.aljazeera.net and wasn't able to get through.  I wanted
> to see if the host was up so, I pinged it and got this output:
>
> boyle:/~% ping english.aljazeera.net
> PING english.aljazeera.net (216.34.94.186) from 152.1.38.206 : 56(84) bytes of d
> ata.
> >From jerry.exodus.net (216.34.83.66): icmp_seq=2 Packet filtered
> >From jerry.exodus.net (216.34.83.66) icmp_seq=2 Packet filtered
>
> --- english.aljazeera.net ping statistics ---
> 6 packets transmitted, 0 received, +2 errors, 100% loss, time 5024ms
>
> boyle:/~% ping english.aljazeera.net
> PING english.aljazeera.net (216.34.94.186) from 152.1.38.206 : 56(84) bytes of data.
> >From jerry.exodus.net (216.34.83.66): icmp_seq=18 Packet filtered
> >From jerry.exodus.net (216.34.83.66) icmp_seq=18 Packet filtered
> >From jerry.exodus.net (216.34.83.66) icmp_seq=32 Packet filtered
> >From jerry.exodus.net (216.34.83.66) icmp_seq=41 Packet filtered
> >From jerry.exodus.net (216.34.83.66) icmp_seq=50 Packet filtered
> >From jerry.exodus.net (216.34.83.66) icmp_seq=57 Packet filtered
>
>
> I have never seen the "Packet filtered" message before.  I did a
> 'whois' for this host and tracked down some phone numbers.  I called the
> network operations people of the organization which seems to administer
> 'jerry.exodus.net'.  I was told to send an email to them, which I did.
> Oddly enough, though, after my phone call, the behavior of 'ping' changed.
> Now this is the output I get:
>
> boyle:/x03033% ping english.aljazeera.net
> PING english.aljazeera.net (216.34.94.186) from 152.1.38.206 : 56(84) bytes of data.
>
> --- english.aljazeera.net ping statistics ---
> 309 packets transmitted, 0 received, 100% loss, time 308019ms
>
> boyle:/x03033% !ping
> ping english.aljazeera.net
> PING english.aljazeera.net (216.34.94.186) from 152.1.38.206 : 56(84) bytes of data.
>
> --- english.aljazeera.net ping statistics ---
> 381 packets transmitted, 0 received, 100% loss, time 380015ms
>
> >From my reading of Stevens' "TCP/IP Illustrated Volime 1", I can see that
> ICMP packets can return a number of codes.  The message seems to most
> closely correspond to code 13, which is, "communication administratively
> prohibited by filtering", although I guess there are other possibilities
> (I need to look in the source for ping).
>
> Does anyone know (or have an opinion) whether this indicates a bona fide
> technical problem, or why would a site be blocked like this?
>
> Thanks for any help.
>
> Paul
>
> --
> Paul D. Boyle			    |	boyle at laue.chem.ncsu.edu
> Director, X-ray Structural Facility |	phone: (919) 515-7362
> Department of Chemistry - Box 8204  |	FAX:   (919) 515-5079
> North Carolina State University     |	http://www.xray.ncsu.edu
> Raleigh, NC, 27695-8204
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list