Re: [nznog] Not a virus - Windows 2000 PC's auto generating icmppacketfloods

Hi Tikiri,

Are you able to dump a packet. Most worms etc. have a identifing stream. i.e. Nachi had hex 'a'.

Cheers Steve.

----- Original Message ----- From: "Tikiri Wicks" To: Sent: Wednesday, October 22, 2003 11:15 PM Subject: [nznog] Not a virus - Windows 2000 PC's auto generating icmp packetfloods

...

Thanks for the feedback so far but it's not viruses.

Virus checks turned up nothing and it's definitely not the blaster virusas all the machines were patched for that when it came out. I've used both Norton as well as F-Secure to check the PC's but nothing turns up There is nothing special about these PC's either. Standard build of windows 2000 and most probably installed from the same disk set. Master Browser discovery ??? but that I thought was netbios

Still hunting :-(

----- Original Message ----- From: "Tikiri Wicks" To: Sent: Wednesday, October 22, 2003 10:47 PM Subject: [nznog] Windows 2000 PC's auto generating icmp packet floods

...

Hi

Just wondering if anyone can shed some light on this. 13 PC's in a network of about 300 PC's keep incrementally pinging everything in

My apologies if this is really off topic for this list. I'm just deperate for help. Right now I can contain it by blocking ICMP at the central routers. However we are now getting bombed from the Internet side with icmp packets very simillar to what we are seeing on the internal network. ICMP packets per second recieved from the Internet side looks like it's growing. I dumped the contents of a number of the packets and it is all random binary data. Contents of one packet is attached. used tcpdump -i eth1 -w testcap -c 1 icmp This network is a WAN encompassing almost all the PC's at the government of Seychelles. There are two distict behaviours. some of the machines are incrementally pinging counting through IP's while others are just pinging at random Incremental counting example Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.1 echo req Wed Oct 22 10:06:48 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.10 echo req Wed Oct 22 10:06:48 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.100 echo req Wed Oct 22 10:06:48 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.101 echo req Wed Oct 22 10:06:48 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.102 echo req Wed Oct 22 10:06:48 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.103 echo req Wed Oct 22 10:06:48 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.104 echo req Wed Oct 22 10:06:49 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.105 echo req Wed Oct 22 10:06:49 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.106 echo req Wed Oct 22 10:06:49 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.107 echo req Wed Oct 22 10:06:49 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.108 echo req Wed Oct 22 10:06:49 2003 ICMP eth1 92 bytes 172.20.13.58 172.21.219.109 echo req This is a list of packets generated to random IP's by one of the buggered machines within one second. Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 134.201.148.92 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 134.245.149.187 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 134.6.35.67 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 134.80.86.18 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.106.165.163 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.121.107.85 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.156.232.33 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.171.152.120 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.21.78.74 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.232.78.121 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.24.134.106 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.249.194.105 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.6.250.118 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 135.90.48.142 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.193.190.190 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.2.207.62 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.205.182.175 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.219.249.129 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.224.49.245 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.236.246.88 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.249.217.60 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 136.43.157.84 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 137.1.24.83 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 137.116.252.40 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 137.12.26.164 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 137.203.34.244 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 138.86.164.87 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 138.98.156.15 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 138.99.237.131 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 139.114.18.154 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 139.115.153.166 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 139.140.147.214 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 139.224.2.109 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 140.16.1.95 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 140.218.126.39 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 140.22.209.12 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 140.243.246.117 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 140.68.153.239 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 140.72.181.149 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 140.91.46.230 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 141.183.123.247 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 141.225.101.23 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 141.27.59.2 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 141.69.172.112 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 142.17.7.249 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 142.52.236.154 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 143.105.255.186 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 143.11.183.189 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 143.150.2.179 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 143.30.245.9 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 143.32.107.116 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 143.37.124.54 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 144.160.111.25 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 144.180.159.246 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 144.207.201.216 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 144.50.13.114 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 144.70.56.193 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 145.106.19.158 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 145.124.87.240 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 145.157.43.22 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 145.21.185.29 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 145.236.203.9 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 145.41.210.106 echo req Wed Oct 22 10:06:47 2003 ICMP eth1 92 bytes 172.20.13.111 145.68.213.68 echo req ----- Original Message ----- From: "Steven Schmidt" To: Sent: Thursday, October 23, 2003 12:24 PM Subject: Re: [nznog] Not a virus - Windows 2000 PC's auto generating icmppacketfloods their

...

...

netmask

For example PC with IP 172.20.10.2 will start pinging 172.20.10.1 and ping all the way upto 172.20.10.255. Then it starts over These are all windows 2000 machines and each one is generating about a hundred icmp packets per second incrementally counting through every destination IP in their netmask. If I change one of the machines netmask to /16 then it starts pinging everything in that entire class b starting at 1.1 and incrementally counting upto the top. These are all normal windows 2000 PC's

Does anyone have an idea on this ???

Cheers

Tikiri

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog