In message <20031013102226.GQ14751(a)citylink.co.nz>, Simon Blake writes:

On Mon, Oct 13, 2003 at 04:51:08PM +1300, Ewen McNeill said:

...

And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests

Just a small point of protest here, there isn't higher volumes of anything floating around Citylink

And to be fair, it's ages since I've had reason to look, so "higher than I'd expect" is probably a pretty low standard. And a chunk of the volume was definitely NAT'd traffic outgoing; but not all of it. So these various worms are clearly still drifting about. You may well be right however that it was (mostly|just) stuff that was routed to/from that 'net; the volumes were such that it was difficult to get an accurate picture of exactly which addresses were involved it at the time. Sorry for implying otherwise.

Increased worm probing tends to manifest as increased ARP requests, rather than ICMP packets. That, FWIW, is why 95% of all the noise-to-every-port on Citylink is ARP requests to unused IP numbers.

Likewise on the TelstraClear cable network -- there's a steady background level of ARP requests all the time, good for keeping the incoming data light flickering away to itself. Ewen