In the company I'm working for, we also have noticed a increasing number of ICPM request. Seems to be related to W32.Nachi-A virus. See : http://www.sophos.com/virusinfo/analyses/w32nachia.html and : http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html Jean-Luc Cavey 65, boulevard Brune 75014 Paris, France +33 (0) 1 45 43 45 62 +33 (0) 6 15 93 77 96 E-Mail : Jean-Lucat_private ---- Original Message ---- From: "Ken Eichman" <keichmanat_private> To: <incidentsat_private> Sent: Monday, August 18, 2003 6:24 PM Subject: Increasing ICMP Echo Requests > For the past 12 hours I've noticed a steady increase in the number of > ICMP Echo Requests (type 8 code 0) being directed against random > source addresses in my /16. During the past 15 hours we've been ping > probed by 127,585 unique source addresses, and hour-by-hour the > number of sources > is increasing: > > Hour # Unique > Date GMT Src Addrs > ----- ---- --------- > 08/18 0000 80 > 08/18 0100 232 > 08/18 0200 905 > 08/18 0300 2727 > 08/18 0400 4686 > 08/18 0500 7378 > 08/18 0600 9930 > 08/18 0700 12214 > 08/18 0800 13993 > 08/18 0900 14196 > 08/18 1000 14097 > 08/18 1100 15756 > 08/18 1200 17776 > 08/18 1300 20352 > 08/18 1400 21298 > > I have not had time to do much analysis on this traffic, other than to > report it to DShield who is apparently getting similar reports from > others. > > Possibly related to this, we are also seeing an increased number of > ping sweeps, where one source IP incrementally pings our entire /16 > range. Anyone else seeing this or have any ideas? > > Ken Eichman Senior Scientist > Chemical Abstracts Service IT Information Security > 2540 Olentangy River Road 614-447-3600 ext. 3230 > Columbus, OH 43210 keichmanat_private > > --------------------------------------------------------------------------- > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance > Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live > Demo > Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > ---------------------------------------------------------------------------- ================================ La presence de ce texte prouve que ce message electronique a ete verifie par un logiciel anti-virus à jour au moment de l'envoi. The presence of this text proves that this e-mail has been verified by an up-to-date anti-virus software at the time of the sending. ================================ --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:38:16 PDT