Ken, We're seeing the same ICMP pattern. Is this from the blaster? We are looking into filtering ICMP echo request on our external routers. Here is a snip from our IDS, [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] [Xref => http://www.whitehats.com/info/IDS154] Event ID: 179333 Event Reference: 0 08/18/03-18:27:28.386411 65.83.120.72 -> xx.xx.xx.xx ICMP TTL:118 TOS:0x0 ID:21399 IpLen:20 DgmLen:92 Type:8 Code:0 ID:2 Seq:61261 ECHO AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ Thanks Daniel Williams Cedar Document Technologies Ken Eichman wrote: >For the past 12 hours I've noticed a steady increase in the number of >ICMP Echo Requests (type 8 code 0) being directed against random source >addresses in my /16. During the past 15 hours we've been ping probed by >127,585 unique source addresses, and hour-by-hour the number of sources >is increasing: > > Hour # Unique >Date GMT Src Addrs >----- ---- --------- >08/18 0000 80 >08/18 0100 232 >08/18 0200 905 >08/18 0300 2727 >08/18 0400 4686 >08/18 0500 7378 >08/18 0600 9930 >08/18 0700 12214 >08/18 0800 13993 >08/18 0900 14196 >08/18 1000 14097 >08/18 1100 15756 >08/18 1200 17776 >08/18 1300 20352 >08/18 1400 21298 > >I have not had time to do much analysis on this traffic, other than to >report it to DShield who is apparently getting similar reports from others. > >Possibly related to this, we are also seeing an increased number of ping >sweeps, where one source IP incrementally pings our entire /16 range. >Anyone else seeing this or have any ideas? > >Ken Eichman Senior Scientist >Chemical Abstracts Service IT Information Security >2540 Olentangy River Road 614-447-3600 ext. 3230 >Columbus, OH 43210 keichmanat_private > >--------------------------------------------------------------------------- >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance Policies >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo >Visit us at: >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 >---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 13:00:04 PDT