Re: Increasing ICMP Echo Requests

• Previous message: Pierre A. Cadieux: "RE: Software vendor clueless"
• In reply to: Ken Eichman: "Increasing ICMP Echo Requests"
• Next in thread: Ken Eichman: "Re: Increasing ICMP Echo Requests"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Ken Eichman" <keichman@cas.org>, <incidents@securityfocus.com>
Date: Mon, 18 Aug 2003 20:30:43 +0200

In the company I'm working for, we also have noticed a increasing number of ICPM request.

Seems to be related to W32.Nachi-A virus.

See : http://www.sophos.com/virusinfo/analyses/w32nachia.html
and : http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Jean-Luc Cavey
65, boulevard Brune
75014 Paris, France
+33 (0) 1 45 43 45 62
+33 (0) 6 15 93 77 96
E-Mail : Jean-Luc@Cavey.org

---- Original Message ----
From: "Ken Eichman" <keichman@cas.org>
To: <incidents@securityfocus.com>
Sent: Monday, August 18, 2003 6:24 PM
Subject: Increasing ICMP Echo Requests

> For the past 12 hours I've noticed a steady increase in the number of
> ICMP Echo Requests (type 8 code 0) being directed against random
> source addresses in my /16. During the past 15 hours we've been ping
> probed by 127,585 unique source addresses, and hour-by-hour the
> number of sources
> is increasing:
>
> Hour # Unique
> Date GMT Src Addrs
> ----- ---- ---------
> 08/18 0000 80
> 08/18 0100 232
> 08/18 0200 905
> 08/18 0300 2727
> 08/18 0400 4686
> 08/18 0500 7378
> 08/18 0600 9930
> 08/18 0700 12214
> 08/18 0800 13993
> 08/18 0900 14196
> 08/18 1000 14097
> 08/18 1100 15756
> 08/18 1200 17776
> 08/18 1300 20352
> 08/18 1400 21298
>
> I have not had time to do much analysis on this traffic, other than to
> report it to DShield who is apparently getting similar reports from
> others.
>
> Possibly related to this, we are also seeing an increased number of
> ping sweeps, where one source IP incrementally pings our entire /16
> range. Anyone else seeing this or have any ideas?
>
> Ken Eichman Senior Scientist
> Chemical Abstracts Service IT Information Security
> 2540 Olentangy River Road 614-447-3600 ext. 3230
> Columbus, OH 43210 keichman@cas.org
>
> ---------------------------------------------------------------------------
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and Performance
> Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live
> Demo
> Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> ----------------------------------------------------------------------------

================================
La presence de ce texte prouve que ce message
electronique a ete verifie par un logiciel anti-virus
à jour au moment de l'envoi.

The presence of this text proves that this e-mail
has been verified by an up-to-date anti-virus
software at the time of the sending.
================================

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

• Previous message: Pierre A. Cadieux: "RE: Software vendor clueless"
• In reply to: Ken Eichman: "Increasing ICMP Echo Requests"
• Next in thread: Ken Eichman: "Re: Increasing ICMP Echo Requests"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]