Re: RE: ICMP PING CyberKit 2.2 Windows

[Wes Zuber <wes () uia net>]

Hi there, I work for a small ISP in Southern California. We have  
filtered off all pings that are 92 bytes in length.

See this article  
http://www.cisco.com/en/US/products/sw/voicesw/ps556/ 
products_tech_note09186a00801b143a.shtml

As I believe many ISP's are currently doing.

We have observed that one infected machine can run the CPU load up on a  
2501 router to 99%. Packets start dropping at that point. So bandwidth  
is not so much the issue as number of packets and arp requests.

Thanks,

--Wes

On Wednesday, August 20, 2003, at 10:36  AM, Bryan Irvine wrote:

> I had to switch off that alert after I received 70,000 of them in the
> first day.  I'll switch it back on and let you know.
>
> Is the bandwidth finally going back to normal?
>
> --Bryan
>
> On Wed, 2003-08-20 at 09:32, Mike Feetham wrote:
> > Between Monday and Tuesday we saw over 10,000 hits on our Class C.   
> > Between
> > yesterday and today that number dropped to about 3,000.  Today, we're  
> > not
> > seeing any.  My only guess is that our ISPs are blocking them  
> > (Allstream,
> > and Worldcom).  Has anyone else seen this behaviour?
> >
> >
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Eric  
> > Greenberg
> > Sent: Wednesday, August 20, 2003 9:46 AM
> > To: nelsbels () cableone net; 'Stevo'; snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows
> >
> > We noted this on Monday and the pings have been increasing at a very  
> > high
> > rate. It is concerning. We have disabled ping (and ICMP for that  
> > matter) on
> > all the servers where practical. You can do this in the firewall  
> > (easiest
> > solution) or from within the operating system (e.g. the Linux kernel,
> > recompile)
> >
> > Regards,
> >
> > Eric Greenberg
> > Chief Technical Officer
> > NetFrameworks, Inc.
> > http://www.NetFrameworks.com
> >
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of
> > nelsbels () cableone net
> > Sent: Tuesday, August 19, 2003 11:08 PM
> > To: 'Stevo'; snort-users () lists sourceforge net
> > Subject: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows
> >
> >
> > Check this out: (This is from incidents.org)
> >
> > Over the last few hours, sensors detected a remarkable increase in  
> > ICMP
> > traffic. At this point, we assume that the traffic is linked to the  
> > 'Nachi'
> > worm:http://vil.nai.com/vil/content/v_100559.htm The worm is also  
> > known as
> > 'Welchia' (
> > http://securityresponse.symantec.com/avcenter/venc/data/ 
> > w32.welchia.worm.htm
> > l )
> >
> > While the investigation is still in progress, we did identify so far  
> > the
> > following characteristics:
> >
> > - some of the traffic is spoofed
> > - the data content is all '170' (0xAA)
> > - ICMP echo requests (type 8, code 0)
> >
> > Source-Target correlation fingerprints ICMP
> > Data:http://isc.sans.org/images/icmpfp.png
> > all Data:http://isc.sans.org/images/allfp.png
> > port 135:http://isc.sans.org/images/port135fp.png
> >
> > Sample Packet
> > (target IP obfuscated)
> >
> > 0x0000   4500 005c 2dc8 0000 7901 66a6 4349 919e         
> > E..\-...y.f.CI..
> > 0x0010   xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa         
> > ......3...m.....
> > 0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa         
> > ................
> > 0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa         
> > ................
> > 0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa         
> > ................
> > 0x0050   aaaa aaaa aaaa aaaa aaaa aaaa                  ............
> >
> > Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows".
> >
> >
> > > So what's the deal with the 72000 odd ICMP PING CyberKit 2.2 Windows
> > > alerts I've got in the past few days??  It's frickin crazy...  I've
> > > read the posts on here, but what is actually causing this and is  
> > > there
> > > anything I can do
> > at
> > > my perimeter to stop these ICMP messages hitting my network?? It's  
> > > just
> > > annoying and I don't want to remove the rule that picks up on the  
> > > ICMP
> > > PING CyberKit 2.2 Windows!!
> >
> > > Ideas??
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by Dice.com.
> > Did you know that Dice has over 25,000 tech jobs available today? From
> > careers in IT to Engineering to Tech Sales, Dice has tech jobs from  
> > the best
> > hiring companies. http://www.dice.com/index.epl?rel_code=104
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by Dice.com.
> > Did you know that Dice has over 25,000 tech jobs available today? From
> > careers in IT to Engineering to Tech Sales, Dice has tech jobs from  
> > the
> > best hiring companies. http://www.dice.com/index.epl?rel_code 4
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by Dice.com.
> > Did you know that Dice has over 25,000 tech jobs available today? From
> > careers in IT to Engineering to Tech Sales, Dice has tech jobs from  
> > the
> > best hiring companies. http://www.dice.com/index.epl?rel_code4
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> at the same time. Free trial click  
> here:http://www.vmware.com/wl/offer/358/0
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users