Symantec SOC issued an alert as well about this as well. Unfortunately due to some agreement I'm not allowed to redistribute the notice publicly. Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 -----Original Message----- From: Ken Eichman [mailto:keichmanat_private] Sent: Monday, August 18, 2003 12:24 PM To: incidentsat_private Subject: Increasing ICMP Echo Requests For the past 12 hours I've noticed a steady increase in the number of ICMP Echo Requests (type 8 code 0) being directed against random source addresses in my /16. During the past 15 hours we've been ping probed by 127,585 unique source addresses, and hour-by-hour the number of sources is increasing: Hour # Unique Date GMT Src Addrs ----- ---- --------- 08/18 0000 80 08/18 0100 232 08/18 0200 905 08/18 0300 2727 08/18 0400 4686 08/18 0500 7378 08/18 0600 9930 08/18 0700 12214 08/18 0800 13993 08/18 0900 14196 08/18 1000 14097 08/18 1100 15756 08/18 1200 17776 08/18 1300 20352 08/18 1400 21298 I have not had time to do much analysis on this traffic, other than to report it to DShield who is apparently getting similar reports from others. Possibly related to this, we are also seeing an increased number of ping sweeps, where one source IP incrementally pings our entire /16 range. Anyone else seeing this or have any ideas? Ken Eichman Senior Scientist Chemical Abstracts Service IT Information Security 2540 Olentangy River Road 614-447-3600 ext. 3230 Columbus, OH 43210 keichmanat_private --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ---------------------------------------------------------------------------- ********************************************************************** CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner. ********************************************************************** --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:40:21 PDT