Okay. Silly me. Routing problems combined with not having black holed aggregate networks, so the icmp requests with the same sequence numbers were in fact the same packet, just bouncing back and forth across a link. I know, I know. Throw tomatoes (I know I won't be lucky enough to have any beer thrown at me). *grumbles to self*. If I get any redemption at all, it's 02:10 here in Iceland right now and -8, so I'm sure I can try to claim my brain is simply not working right now ;-). Aj is going to call me a noob now. Woohoo! Regards, Anton On Tue, February 6, 2007 13:47, Anton Smith wrote:
Hi all,
Just wondering if anyone else has noticed elevated ICMP levels. I'm seeing a lot of what looks like ICMP from infected machines, both coming into our network and leaving it. Always with the same sequence number and going to and from many different machines:
e.g.
13:41:45.682360 IP 196.211.95.177 > 202.65.160.195: icmp 72: echo request seq 20041 13:41:45.682395 IP 196.211.95.177 > 202.65.160.195: icmp 72: echo request seq 20041 13:41:45.684098 IP 196.211.95.177 > 202.65.160.195: icmp 72: echo request seq 20041 13:41:45.684185 IP 196.211.95.177 > 202.65.160.195: icmp 72: echo request seq 20041
and
13:45:23.759952 IP 203.110.28.211 > 24.149.23.167: icmp 41: echo request seq 39506 13:45:23.764000 IP 203.110.28.211 > 24.149.63.81: icmp 41: echo request seq 39762 13:45:23.764046 IP 203.110.28.211 > 24.149.20.160: icmp 41: echo request seq 40018 13:45:23.764426 IP 203.110.28.211 > 24.149.134.141: icmp 41: echo request seq 40274 13:45:23.766189 IP 203.110.28.211 > 24.149.81.135: icmp 41: echo request seq 40530
Seems to be the same sequence number for the same destination host. There are hundreds/thousands of these every second and seems to be ongoing.
Just wondering if it is just us.
Regards, Anton