A number of people have informed me that this traffic is probably generated by a "good samaritan" worm apparently named 'Msblast.d' or 'Welchia' (Symantec) or 'Nachi' (Mcafee), which removes msblast and installs MS03-026 on affected systems. Ken > From incidents-return-6482-keichman=cas.orgat_private Mon Aug 18 14:09:39 2003 > Subject: Increasing ICMP Echo Requests > > For the past 12 hours I've noticed a steady increase in the number of > ICMP Echo Requests (type 8 code 0) being directed against random source > addresses in my /16. During the past 15 hours we've been ping probed by > 127,585 unique source addresses, and hour-by-hour the number of sources > is increasing: > > Hour # Unique > Date GMT Src Addrs > ----- ---- --------- > 08/18 0000 80 > 08/18 0100 232 > 08/18 0200 905 > 08/18 0300 2727 > 08/18 0400 4686 > 08/18 0500 7378 > 08/18 0600 9930 > 08/18 0700 12214 > 08/18 0800 13993 > 08/18 0900 14196 > 08/18 1000 14097 > 08/18 1100 15756 > 08/18 1200 17776 > 08/18 1300 20352 > 08/18 1400 21298 > > I have not had time to do much analysis on this traffic, other than to > report it to DShield who is apparently getting similar reports from others. > > Possibly related to this, we are also seeing an increased number of ping > sweeps, where one source IP incrementally pings our entire /16 range. > Anyone else seeing this or have any ideas? > > Ken Eichman Senior Scientist > Chemical Abstracts Service IT Information Security > 2540 Olentangy River Road 614-447-3600 ext. 3230 > Columbus, OH 43210 keichmanat_private > > --------------------------------------------------------------------------- > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance Policies > **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo > Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:39:39 PDT