nanog mailing list archives
RE: Increase in traffic to/from DSL subs since August?
From: "Gary Attard" <garya () invision net>
Date: Fri, 21 Nov 2003 10:15:58 -0500
Improperly patched machines infected with Nachi (aka Welchia) have been noted transmitting in excess of 500,000 ICMP echo requests via Class B alphabet lookups per hour. The one characteristic of Nachi that simplifies the identification of the infected machines is the fact that each of these echo requests are 92 byte pings. Any monitoring tools or packet sniffers configured to look for these 92 byte pings will greatly simplify the identification of the specific source addresses. -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of Suresh Ramasubramanian Sent: Thursday, November 20, 2003 9:27 PM Cc: nanog () merit edu Subject: Re: Increase in traffic to/from DSL subs since August? Steven M. Bellovin writes on 11/20/2003 4:28 PM:
At the IETF Plenary, Bernard Aboba showed a graph of spam, with a marked uptick since SoBig.F in August. My guess is worm-deposited spam relays, though Joel's guess of Nachi or Welchia can't be ruled out, either, without flow data.
A ballpark estimate from a couple of friends who run small cable ISPs in India, and from a look at our mailserver log stats, says that yes, this is mostly because of open proxies and trojans infecting unpatched windows machines on broadband. Swen, MiMail and Jeem.mail.pv seem to be the worst offenders wrt spamming trojans, right now. Nachi and Welchia are almost as bad. I'd say blame can be split equally between the two. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Current thread:
- Increase in traffic to/from DSL subs since August? Jared B. Reimer (Nov 20)
- Re: Increase in traffic to/from DSL subs since August? Joel Jaeggli (Nov 20)
- Re: Increase in traffic to/from DSL subs since August? Nipper, Arnold (Nov 20)
- Re: Increase in traffic to/from DSL subs since August? Steven M. Bellovin (Nov 20)
- Re: Increase in traffic to/from DSL subs since August? Mike Tancsa (Nov 20)
- Re: Increase in traffic to/from DSL subs since August? Scott Weeks (Nov 20)
- Re: Increase in traffic to/from DSL subs since August? Suresh Ramasubramanian (Nov 20)
- RE: Increase in traffic to/from DSL subs since August? Gary Attard (Nov 21)
- Re: Increase in traffic to/from DSL subs since August? Petri Helenius (Nov 20)