Honeypots mailing list archives
Re: recent scannin activitty
From: John Lyons <john.lyons () heanet ie>
Date: Fri, 29 Aug 2003 09:44:32 +0100
Hi John, This has been well documented : http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml The 92 byte ICMP echo requests are as a result of the Nachi worm. They have caused and are still causing a lot of damage/unwanted traffic in networks and ISPs worldwide. A lot of routers have hit 99% CPU usage due to the worm, in particular due to the high numbers of ARP requests to unused IP addresses. These packets trigger the Cyberkit 2.2 Windows signature in SNORT. The reccommended course of action is to block 92 byte ICMP echo requests at the edge using policy based routing. John
To all, I have noticed an increase in ICMP scans from early summer. What I have noticed here on the Georgia Tech Honeynet lately is a large increase in ICMP scans triggering the SNORT ICMP ping Cyberkit 2.2 Windows signature from blaster infected machines (i.e. these same machines try to connect on port 135). John Levine School Of Electrical and Computer Engineering Georgia Institute of Technology
Current thread:
- recent scannin activitty John Levine (Aug 29)
- Re: recent scannin activitty John Lyons (Aug 29)
- <Possible follow-ups>
- RE: recent scannin activitty Chan Kien Eng (Aug 29)