Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [UPDATE] ping floods

From: "Abraham, Antony (Cognizant)" <Antony () blr cognizant com>
Date: Mon, 18 Aug 2003 20:59:33 +0530
All,

It might be this new worm, have a look at 

http://vil.nai.com/vil/content/v_100559.htm 

New RPC worm which will generate lot of ICMP traffic.

Thanks,

Antony Abraham 

-----Original Message-----
From: B3r3n () argosnet com [mailto:B3r3n () argosnet com] 
Sent: Monday, August 18, 2003 6:56 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] [UPDATE] ping floods

All,

What we have here at the moment is the following:

1) IntraNet machines are pinging to random IP addresses (both targetting
our IntraNet and outside)

2) From time to time, when a particular machine is pinging from a
subnet, it appears some new machines on that subnet are starting to ping
too.

3) these pings, grouped together, creates flooding (even if singlely
they seems to be ping with a 1/3s TTL delay) impacting the whole
IntraNet.

4) Checking a machine part of this ping "flood", we found nothing
suspicious (no unknown program, ...) but we dont master Windows
technology. The box was antivirused with a well-known vendor solution,
up-to-date in its virus definitions.

Our assumptions is this might be a brand new worm, not yet known to
antivirus companies (no news/alerts on their sites).

To solve, we applied on our routers routing the ICMP requests an
access-list to bar these requests. This globally solved the problem
until we can be able to solve each machine.

Thanks

Brgrds

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Attachment: InterScan_Disclaimer.txt
Description:

Previous By Date Next
Previous By Thread Next

Current thread: