Security Incidents mailing list archives
Re: Tracking down random ICMP
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 02 Feb 2007 17:25:28 -0600
On Mon, 2007-01-22 at 09:19 -0400, Craig Chamberlain wrote:
Seem to be seeing more random bursts of ICMP traffic - sometimes unidirectional - with remote destinations that are mostly inexplicable. Wondering if it's a covert control channel of some sort - if so I can see why they chose ICMP - often allowed through firewalls and it is seems to be hard to determine the originating process in Windows.
The Allaple worm has been making its rounds on the Internet as of late. It scans seemingly random IP addresses first with a customized ICMP Echo in order to find targets that it could spread to. The payload of the customized ping looks almost normal, except for the leading capital B before the "abcdef..." payload. We got Snort sigs for that at www.bleedingthreads.net Those Allaple Pings are currently on the top of the list of scan packets on our radar, followed by VNC scans. Also of notice is the recent uptick in POP3/FTP/IMAP brute force attempts. Looks like some botnet got fat enough for the herder to switch to engage the brute-o-matic. Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Tracking down random ICMP Frank Knobbe (Feb 02)
- <Possible follow-ups>
- Re: Tracking down random ICMP Jean-Baptiste Marchand (Feb 09)