Re: Increasing ICMP Echo Requests

From: Jean-Luc (Jean-Luc_at_Cavey.org)
Date: 08/18/03

  • Next message: Ken Eichman: "Re: Increasing ICMP Echo Requests"
    To: "Ken Eichman" <keichman@cas.org>, <incidents@securityfocus.com>
    Date: Mon, 18 Aug 2003 20:30:43 +0200
    
    

    In the company I'm working for, we also have noticed a increasing number of ICPM request.

    Seems to be related to W32.Nachi-A virus.

    See : http://www.sophos.com/virusinfo/analyses/w32nachia.html
    and : http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html

    Jean-Luc Cavey
    65, boulevard Brune
    75014 Paris, France
    +33 (0) 1 45 43 45 62
    +33 (0) 6 15 93 77 96
    E-Mail : Jean-Luc@Cavey.org

    ---- Original Message ----
    From: "Ken Eichman" <keichman@cas.org>
    To: <incidents@securityfocus.com>
    Sent: Monday, August 18, 2003 6:24 PM
    Subject: Increasing ICMP Echo Requests

    > For the past 12 hours I've noticed a steady increase in the number of
    > ICMP Echo Requests (type 8 code 0) being directed against random
    > source addresses in my /16. During the past 15 hours we've been ping
    > probed by 127,585 unique source addresses, and hour-by-hour the
    > number of sources
    > is increasing:
    >
    > Hour # Unique
    > Date GMT Src Addrs
    > ----- ---- ---------
    > 08/18 0000 80
    > 08/18 0100 232
    > 08/18 0200 905
    > 08/18 0300 2727
    > 08/18 0400 4686
    > 08/18 0500 7378
    > 08/18 0600 9930
    > 08/18 0700 12214
    > 08/18 0800 13993
    > 08/18 0900 14196
    > 08/18 1000 14097
    > 08/18 1100 15756
    > 08/18 1200 17776
    > 08/18 1300 20352
    > 08/18 1400 21298
    >
    > I have not had time to do much analysis on this traffic, other than to
    > report it to DShield who is apparently getting similar reports from
    > others.
    >
    > Possibly related to this, we are also seeing an increased number of
    > ping sweeps, where one source IP incrementally pings our entire /16
    > range. Anyone else seeing this or have any ideas?
    >
    > Ken Eichman Senior Scientist
    > Chemical Abstracts Service IT Information Security
    > 2540 Olentangy River Road 614-447-3600 ext. 3230
    > Columbus, OH 43210 keichman@cas.org
    >
    > ---------------------------------------------------------------------------
    > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > - Precisely Define and Implement Network Security and Performance
    > Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live
    > Demo
    > Visit us at:
    > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    > ----------------------------------------------------------------------------

    ================================
    La presence de ce texte prouve que ce message
    electronique a ete verifie par un logiciel anti-virus
    à jour au moment de l'envoi.

    The presence of this text proves that this e-mail
    has been verified by an up-to-date anti-virus
    software at the time of the sending.
    ================================

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Ken Eichman: "Re: Increasing ICMP Echo Requests"

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: DCOM worm with get.bat bot.rar
      ... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: lots of sobig virus emails.
      ... they shouldn't be sending mail to the ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: Microsoft extinguishes windowsupdate.com
      ... Subject: Microsoft 'extinguishes' windowsupdate.com ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: what is this?
      ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... A presente mensagem pode conter informação considerada confidencial. ...
      (Incidents)