Re: [nznog] High volumes of ICMP echo request (type 8)
In message <874qyd4v8f.fsf(a)it029205.massey.ac.nz>, James Riden writes:
Ewen McNeill
writes: Is anyone else seeing very high volumes of ICMP echo requests today (ie, in the order of hundreds/thousands per second)? [....]
Welchia used pings, not Blaster.A IIRC. I've seen Welchia at around 180 packets/second on a LAN and it seems to do a strictly linear scan, so it doesn't sound like that either.
What do the ping packets look like?
block in on ste7: [internal ip] > [victim ip]: icmp: echo request 4500 005c 58fa 0000 7f01 4929 0a04 0102 3df3 5085 0800 c9c8 0200 d6e1 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa Not very exciting. All the ones I've looked contain the same thing (ie IP and ICMP headers, and then filled to minimum packet size with 0xaa bytes). And the addresses aren't always as random as I first thought. When I narrow my scope down to one of the "infected" machines as a source, I sometimes see it walking netblocks sequentially (eg, one internal ip just walked all (most?) of 61.243/16). But when it got to the end of that, the pattern got less predictable again, hitting IPs in at about a dozen different /24s in an overlappped fashion (from the same internal IP). (Perhaps it's getting upset at getting no replies; I've been dropping it at the firewall since I noticed it happening.) I'm seeing around 6000 per second from a single IP address (ie, around 100/second) outgoing hitting the firewall. (It's easy to track a single IP address as these are internal ips; obviously tracking it from the "other end" would be considerably harder.) So I'm pretty much convinced those desktops have "caught" something, I'm just not sure what it is. (And since this client does mail filtering for spam/viruses/etc it's less likely to be a known email virus/worm.) Ewen
participants (1)
-
Ewen McNeill