Re: Increasing ICMP Echo Requests

From: Daniel Williams (dwilliamsat_private)
Date: Mon Aug 18 2003 - 11:36:44 PDT

  • Next message: Dan Bartley: "RE: Microsoft 'extinguishes' windowsupdate.com" 

    Ken,
We're seeing the same ICMP pattern.
Is this from the blaster? We are looking into filtering ICMP echo 
request on our external routers.

Here is a snip from our IDS,
 [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
[Xref => http://www.whitehats.com/info/IDS154]
Event ID: 179333     Event Reference: 0
08/18/03-18:27:28.386411 65.83.120.72 -> xx.xx.xx.xx
ICMP TTL:118 TOS:0x0 ID:21399 IpLen:20 DgmLen:92
Type:8  Code:0  ID:2   Seq:61261  ECHO
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................


Thanks
Daniel Williams
Cedar Document Technologies


Ken Eichman wrote:

>For the past 12 hours I've noticed a steady increase in the number of
>ICMP Echo Requests (type 8 code 0) being directed against random source
>addresses in my /16. During the past 15 hours we've been ping probed by
>127,585 unique source addresses, and hour-by-hour the number of sources
>is increasing:
>
>	Hour  # Unique
>Date    GMT   Src Addrs
>-----   ----  ---------
>08/18   0000         80
>08/18   0100        232
>08/18   0200        905
>08/18   0300       2727
>08/18   0400       4686
>08/18   0500       7378
>08/18   0600       9930
>08/18   0700      12214
>08/18   0800      13993
>08/18   0900      14196
>08/18   1000      14097
>08/18   1100      15756
>08/18   1200      17776
>08/18   1300      20352
>08/18   1400      21298
>
>I have not had time to do much analysis on this traffic, other than to
>report it to DShield who is apparently getting similar reports from others.
>
>Possibly related to this, we are also seeing an increased number of ping
>sweeps, where one source IP incrementally pings our entire /16 range.
>Anyone else seeing this or have any ideas?
>
>Ken Eichman                 Senior Scientist
>Chemical Abstracts Service  IT Information Security
>2540 Olentangy River Road   614-447-3600 ext. 3230
>Columbus, OH 43210          keichmanat_private
>
>---------------------------------------------------------------------------
>Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and Performance Policies
>**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
>Visit us at: 
>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
>----------------------------------------------------------------------------
>  
>



---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 13:00:04 PDT