In message <874qyd4v8f.fsf(a)it029205.massey.ac.nz>, James Riden writes:
>Ewen McNeill <ewen(a)naos.co.nz> writes:
>> Is anyone else seeing very high volumes of ICMP echo requests today (ie,
>> in the order of hundreds/thousands per second)? [....]
>
>Welchia used pings, not Blaster.A IIRC. I've seen Welchia at around
>180 packets/second on a LAN and it seems to do a strictly linear scan,
>so it doesn't sound like that either.
>
>What do the ping packets look like?
block in on ste7: [internal ip] > [victim ip]: icmp: echo request
4500 005c 58fa 0000 7f01 4929 0a04 0102
3df3 5085 0800 c9c8 0200 d6e1 aaaa aaaa
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa
Not very exciting. All the ones I've looked contain the same thing
(ie IP and ICMP headers, and then filled to minimum packet size with
0xaa bytes).
And the addresses aren't always as random as I first thought. When I
narrow my scope down to one of the "infected" machines as a source,
I sometimes see it walking netblocks sequentially (eg, one internal ip
just walked all (most?) of 61.243/16).
But when it got to the end of that, the pattern got less predictable
again, hitting IPs in at about a dozen different /24s in an overlappped
fashion (from the same internal IP). (Perhaps it's getting upset at
getting no replies; I've been dropping it at the firewall since I noticed
it happening.)
I'm seeing around 6000 per second from a single IP address (ie, around
100/second) outgoing hitting the firewall. (It's easy to track a
single IP address as these are internal ips; obviously tracking it from
the "other end" would be considerably harder.)
So I'm pretty much convinced those desktops have "caught" something,
I'm just not sure what it is. (And since this client does mail filtering
for spam/viruses/etc it's less likely to be a known email virus/worm.)
Ewen
