Security Incidents mailing list archives

Re: Huge outgoing ICMP flows

From: robinton () GMX de (Soeren Ziehe)
Date: 15 Jun 2001 11:45:00 +0100

In article <Pine.LNX.4.33L2.0106131355060.701-100000 () ryoko tokimi net> [13 Jun 01]
   Chris Ess  <azarin () tokimi net> wrote:

But type=0, code=0 (or is it the other way round?) is a ping.  If
I'm interpreting your table correctly, there are 6,575 pings
registered from one host and 5,735 from another.  So, yes, it is
possible that these machines are being used for an ICMP ping DoS
(AKA smurf attack).


It couls also be that these maschines are "infected" with a trojan and  
are part of a DDOS (e.g. part of a "bot net").
I'd recommend further investigation.

Robinton

-- 
Keyboard not found. Please press a key to continue...

Current thread:

Re: Huge outgoing ICMP flows, (continued)
- Re: Huge outgoing ICMP flows Trevor (Jun 13)
- Re: Huge outgoing ICMP flows Chris Ess (Jun 14)
  - Re: Huge outgoing ICMP flows Bryan Andersen (Jun 15)
    - Re: Huge outgoing ICMP flows Kurt Seifried (Jun 17)
    - 2300 FTP accesses from Korea Gregory McCann (Jun 18)
    - Re: 2300 FTP accesses from Korea ecofsky (Jun 18)
    - Re: 2300 FTP accesses from Korea Derek Kwan (Jun 18)
    - Re: 2300 FTP accesses from Korea Russell Fulton (Jun 18)
    - Re: 2300 FTP accesses from Korea Dug Song (Jun 18)
  - Re: Huge outgoing ICMP flows Gary Maltzen (Jun 19)
- Re: Huge outgoing ICMP flows Soeren Ziehe (Jun 15)
- Re: Huge outgoing ICMP flows Robert G. Ferrell (Jun 15)