Honeypots mailing list archives

Re: recent scannin activitty

From: John Lyons <john.lyons () heanet ie>
Date: Fri, 29 Aug 2003 09:44:32 +0100

Hi John,

This has been well documented : 

http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

The 92 byte ICMP echo requests are as a result of the Nachi worm.
They have caused and are still causing a lot of damage/unwanted traffic in 
networks and ISPs worldwide. A lot of routers have hit 99% CPU usage due to
the worm, in particular due to the high numbers of ARP requests to unused 
IP addresses. These packets trigger the Cyberkit 2.2 Windows signature
in SNORT. The reccommended course of action is to block 92 byte
ICMP echo requests at the edge using policy based routing.

John

To all,
      I have noticed an increase in ICMP scans from early summer.  What
I have noticed here on the Georgia Tech Honeynet lately is a large increase
in ICMP scans triggering the SNORT ICMP ping Cyberkit 2.2 Windows
signature from blaster infected machines (i.e. these same machines try to
connect on port 135).
John Levine
School Of Electrical and Computer Engineering
Georgia Institute of Technology

Current thread:

recent scannin activitty John Levine (Aug 29)
- Re: recent scannin activitty John Lyons (Aug 29)
- <Possible follow-ups>
- RE: recent scannin activitty Chan Kien Eng (Aug 29)