RE: Increasing ICMP Echo Requests

From: Robinson, Sonja (SRobinson_at_HIPUSA.com)
Date: 08/18/03

  • Next message: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"
    To: 'Ken Eichman' <keichman@cas.org>, incidents@securityfocus.com
    Date: Mon, 18 Aug 2003 14:41:09 -0400
    
    

    Symantec SOC issued an alert as well about this as well. Unfortunately due
    to some agreement I'm not allowed to redistribute the notice publicly.

    Sonja Robinson, CISA
    Network Security Analyst
    HIP Health Plans
    Office: 212-806-4125
    Pager: 8884238615

    -----Original Message-----
    From: Ken Eichman [mailto:keichman@cas.org]
    Sent: Monday, August 18, 2003 12:24 PM
    To: incidents@securityfocus.com
    Subject: Increasing ICMP Echo Requests

    For the past 12 hours I've noticed a steady increase in the number of ICMP
    Echo Requests (type 8 code 0) being directed against random source addresses
    in my /16. During the past 15 hours we've been ping probed by 127,585 unique
    source addresses, and hour-by-hour the number of sources is increasing:

            Hour # Unique
    Date GMT Src Addrs
    ----- ---- ---------
    08/18 0000 80
    08/18 0100 232
    08/18 0200 905
    08/18 0300 2727
    08/18 0400 4686
    08/18 0500 7378
    08/18 0600 9930
    08/18 0700 12214
    08/18 0800 13993
    08/18 0900 14196
    08/18 1000 14097
    08/18 1100 15756
    08/18 1200 17776
    08/18 1300 20352
    08/18 1400 21298

    I have not had time to do much analysis on this traffic, other than to
    report it to DShield who is apparently getting similar reports from others.

    Possibly related to this, we are also seeing an increased number of ping
    sweeps, where one source IP incrementally pings our entire /16 range. Anyone
    else seeing this or have any ideas?

    Ken Eichman Senior Scientist
    Chemical Abstracts Service IT Information Security
    2540 Olentangy River Road 614-447-3600 ext. 3230
    Columbus, OH 43210 keichman@cas.org

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us
    at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------

    **********************************************************************
    CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner.

    **********************************************************************

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Robinson, Sonja: "RE: Increasing ICMP Echo Requests"