Re: Increasing ICMP Echo Requests

From: Ken Eichman (keichmanat_private)
Date: Mon Aug 18 2003 - 11:42:47 PDT

Next message: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"

Previous message: Jean-Luc: "Re: Increasing ICMP Echo Requests"
In reply to: Ken Eichman: "Increasing ICMP Echo Requests"
Next in thread: Dan Hanson: "Re: Increasing ICMP Echo Requests"
Next in thread: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"
Reply: Dan Hanson: "Re: Increasing ICMP Echo Requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A number of people have informed me that this traffic is probably
generated by a "good samaritan" worm apparently named 'Msblast.d'
or 'Welchia' (Symantec) or 'Nachi' (Mcafee), which removes msblast
and installs MS03-026 on affected systems. Ken

> From incidents-return-6482-keichman=cas.orgat_private Mon Aug 18 14:09:39 2003
> Subject: Increasing ICMP Echo Requests
>
> For the past 12 hours I've noticed a steady increase in the number of
> ICMP Echo Requests (type 8 code 0) being directed against random source
> addresses in my /16. During the past 15 hours we've been ping probed by
> 127,585 unique source addresses, and hour-by-hour the number of sources
> is increasing:
>
>         Hour  # Unique
> Date    GMT   Src Addrs
> -----   ----  ---------
> 08/18   0000         80
> 08/18   0100        232
> 08/18   0200        905
> 08/18   0300       2727
> 08/18   0400       4686
> 08/18   0500       7378
> 08/18   0600       9930
> 08/18   0700      12214
> 08/18   0800      13993
> 08/18   0900      14196
> 08/18   1000      14097
> 08/18   1100      15756
> 08/18   1200      17776
> 08/18   1300      20352
> 08/18   1400      21298
>
> I have not had time to do much analysis on this traffic, other than to
> report it to DShield who is apparently getting similar reports from others.
>
> Possibly related to this, we are also seeing an increased number of ping
> sweeps, where one source IP incrementally pings our entire /16 range.
> Anyone else seeing this or have any ideas?
>
> Ken Eichman                 Senior Scientist
> Chemical Abstracts Service  IT Information Security
> 2540 Olentangy River Road   614-447-3600 ext. 3230
> Columbus, OH 43210          keichmanat_private
>
> ---------------------------------------------------------------------------
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Ensure Reliable Performance of Mission Critical Applications
>  - Precisely Define and Implement Network Security and Performance Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

Next message: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"
Previous message: Jean-Luc: "Re: Increasing ICMP Echo Requests"
In reply to: Ken Eichman: "Increasing ICMP Echo Requests"
Next in thread: Dan Hanson: "Re: Increasing ICMP Echo Requests"
Next in thread: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"
Reply: Dan Hanson: "Re: Increasing ICMP Echo Requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:39:39 PDT