Snort mailing list archives
Re: RE: ICMP PING CyberKit 2.2 Windows
From: Wes Zuber <wes () uia net>
Date: Fri, 22 Aug 2003 13:25:54 -0700
Hi there, I work for a small ISP in Southern California. We have filtered off all pings that are 92 bytes in length.
See this article http://www.cisco.com/en/US/products/sw/voicesw/ps556/ products_tech_note09186a00801b143a.shtml
As I believe many ISP's are currently doing.We have observed that one infected machine can run the CPU load up on a 2501 router to 99%. Packets start dropping at that point. So bandwidth is not so much the issue as number of packets and arp requests.
Thanks, --Wes On Wednesday, August 20, 2003, at 10:36 AM, Bryan Irvine wrote:
I had to switch off that alert after I received 70,000 of them in the first day. I'll switch it back on and let you know. Is the bandwidth finally going back to normal? --Bryan On Wed, 2003-08-20 at 09:32, Mike Feetham wrote:Between Monday and Tuesday we saw over 10,000 hits on our Class C. Between yesterday and today that number dropped to about 3,000. Today, we're not seeing any. My only guess is that our ISPs are blocking them (Allstream,and Worldcom). Has anyone else seen this behaviour? -----Original Message----- From: snort-users-admin () lists sourceforge net[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Eric GreenbergSent: Wednesday, August 20, 2003 9:46 AM To: nelsbels () cableone net; 'Stevo'; snort-users () lists sourceforge net Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2 WindowsWe noted this on Monday and the pings have been increasing at a very high rate. It is concerning. We have disabled ping (and ICMP for that matter) on all the servers where practical. You can do this in the firewall (easiestsolution) or from within the operating system (e.g. the Linux kernel, recompile) Regards, Eric Greenberg Chief Technical Officer NetFrameworks, Inc. http://www.NetFrameworks.com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of nelsbels () cableone net Sent: Tuesday, August 19, 2003 11:08 PM To: 'Stevo'; snort-users () lists sourceforge net Subject: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows Check this out: (This is from incidents.org)Over the last few hours, sensors detected a remarkable increase in ICMP traffic. At this point, we assume that the traffic is linked to the 'Nachi' worm:http://vil.nai.com/vil/content/v_100559.htm The worm is also known as'Welchia' (http://securityresponse.symantec.com/avcenter/venc/data/ w32.welchia.worm.html )While the investigation is still in progress, we did identify so far thefollowing characteristics: - some of the traffic is spoofed - the data content is all '170' (0xAA) - ICMP echo requests (type 8, code 0) Source-Target correlation fingerprints ICMP Data:http://isc.sans.org/images/icmpfp.png all Data:http://isc.sans.org/images/allfp.png port 135:http://isc.sans.org/images/port135fp.png Sample Packet (target IP obfuscated)0x0000 4500 005c 2dc8 0000 7901 66a6 4349 919e E..\-...y.f.CI.. 0x0010 xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa ......3...m..... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows".So what's the deal with the 72000 odd ICMP PING CyberKit 2.2 Windows alerts I've got in the past few days?? It's frickin crazy... I'veread the posts on here, but what is actually causing this and is thereanything I can doatmy perimeter to stop these ICMP messages hitting my network?? It's just annoying and I don't want to remove the rule that picks up on the ICMPPING CyberKit 2.2 Windows!!Ideas??------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? Fromcareers in IT to Engineering to Tech Sales, Dice has tech jobs from the besthiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? Fromcareers in IT to Engineering to Tech Sales, Dice has tech jobs from thebest hiring companies. http://www.dice.com/index.epl?rel_code 4 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? Fromcareers in IT to Engineering to Tech Sales, Dice has tech jobs from thebest hiring companies. http://www.dice.com/index.epl?rel_code4 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machinesat the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: ICMP PING CyberKit 2.2 Windows, (continued)
- Re: ICMP PING CyberKit 2.2 Windows Paul Schmehl (Aug 19)
- Re: ICMP PING CyberKit 2.2 Windows Glenn Forbes Fleming Larratt (Aug 19)
- RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 20)
- RE: ICMP PING CyberKit 2.2 Windows nelsbels (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Eric Greenberg (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Mike Feetham (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 20)
- Re: RE: ICMP PING CyberKit 2.2 Windows Michael Anderson (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Arvind Clemente (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 22)
- Re: RE: ICMP PING CyberKit 2.2 Windows Wes Zuber (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Eric Greenberg (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Jade E. Deane (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows twig les (Aug 25)