High volumes of ICMP echo request (type 8)
Hi, Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)? At one client I've been seeing in the order of 2000+ ICMP echo requests per minute from each of four different desktops (desktop support is tracking down the relevant desktops now) to IP addresses all over the net. And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses. I'm aware that some worms use this as part of their probing/spreading (eg, MS Blaster) but not of any newly released worm (or worm due to make a comeback at present), so I'm a bit puzzled at it's "sudden" appearance. Ewen
Ewen McNeill said:
Hi,
Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)?
At one client I've been seeing in the order of 2000+ ICMP echo requests per minute from each of four different desktops (desktop support is tracking down the relevant desktops now) to IP addresses all over the net.
And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses.
I'm aware that some worms use this as part of their probing/spreading (eg, MS Blaster) but not of any newly released worm (or worm due to make a comeback at present), so I'm a bit puzzled at it's "sudden" appearance.
The Ping War of 2003 has begun. -- Juha
Yep heaps here. It's like they sync'd because I get bursts of 20 or 30 per
second, then just a few for a few seconds, then bursts again :/
Barry
----- Original Message -----
From: "Ewen McNeill"
Hi,
Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)?
At one client I've been seeing in the order of 2000+ ICMP echo requests per minute from each of four different desktops (desktop support is tracking down the relevant desktops now) to IP addresses all over the net.
And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses.
I'm aware that some worms use this as part of their probing/spreading (eg, MS Blaster) but not of any newly released worm (or worm due to make a comeback at present), so I'm a bit puzzled at it's "sudden" appearance.
Ewen _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Ewen McNeill
Hi,
Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)?
At one client I've been seeing in the order of 2000+ ICMP echo requests per minute from each of four different desktops (desktop support is tracking down the relevant desktops now) to IP addresses all over the net.
And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses.
Welchia used pings, not Blaster.A IIRC. I've seen Welchia at around 180 packets/second on a LAN and it seems to do a strictly linear scan, so it doesn't sound like that either. What do the ping packets look like? cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Programmer - Security Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
Evening all. On Mon, Oct 13, 2003 at 04:51:08PM +1300, Ewen McNeill said:
And snooping on Citylink (which is implemented as a big LAN) shows much-higher-than-I'd-normally-expect volumes of ICMP echo requests flying around from all sorts of random addresses to all sorts of other random addresses.
Just a small point of protest here, there isn't higher volumes of anything floating around Citylink - due to some extra filtering and whining at ISP's from yours truly, noise levels have been lower in the last couple of months than any time in the previous year. If you're seeing elevated echo request volumes on your Citylink tail, it's because somebody is sending them to your router from the Interweb - it's not something magically endemic to WIX, it is a big LAN, but it's certainly not a big hub. Increased worm probing tends to manifest as increased ARP requests, rather than ICMP packets. That, FWIW, is why 95% of all the noise-to-every-port on Citylink is ARP requests to unused IP numbers. 3% is flooding unicast, and about 2% is the noise that everybody actually grizzles about - IPX, Appletalk, RIP, OSPF, Netbios announcements and the usual other blah). The ARP noise is quite dependant on worm activity levels, which is why I'm on at various ISP's to filter their unused IP space (about 50% of the arp traffic is localised around two ISP's, as most ISP's are filtering already) - although traffic levels are low at the moment, it can blow out pretty quickly. ISP's (in fact, anybody who runs a public IP subnet over APE or WIX), please null route the numbers in those subnets that you don't use, if you don't already. If nothing else, it'll stop other users filching traffic from you. Cheers Si
participants (5)
-
Barry Murphy
-
Ewen McNeill
-
James Riden
-
Juha Saarinen
-
Simon Blake