Snort mailing list archives
RE: RE: ICMP PING CyberKit 2.2 Windows
From: twig les <twigles () yahoo com>
Date: Mon, 25 Aug 2003 21:26:52 -0700 (PDT)
Yes we got creamed by this crap too. "Good worm" my butt. The reason you're seeing the CPU spike is the sheer volume of tiny packets. Tiny packets, from a router's point of view, are a pain in the neck since they (the routers) have to route them (or CEF/silicon/fast switch, whatever) and annoying worms can send tons of them. I would follow jade.dean's advice and block the pings on line 1 of your inbound border acls. --- "Francis A. Vidal" <francisv-sender-58ad63 () irc dagupan com> wrote:
I noticed that even with the workarounds in place (from Cisco.com), CPU process is still high when a client infected with Nachi starts pinging random addresses. -----Original Message----- From: Jade E. Deane [mailto:jade.deane () riven net] Sent: Tuesday, August 26, 2003 11:11 AM To: Francis A. Vidal Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows Does the exploit directly affect the routers? Well, no. However, by way of the amount of traffic and any ACLs in place, you could increase the bruden on any infrastructure components in your network. If you're using Cisco hardware, depending on the model, I would suggest you compile your ACLs to avoid process switching overhead. Regards, Jade On Mon, 2003-08-25 at 21:25, Francis A. Vidal wrote:Yes, I know but how does this directly affect the routers? -----Original Message----- From: alexanderhampel () netscape net[mailto:alexanderhampel () netscape net]Sent: Tuesday, August 26, 2003 8:57 AM To: francisv-dated-1062461815.afb71c () irc dagupan com; snort-users () lists sourceforge net Cc: nelsbels () cableone net Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2WindowsICMP PING CyberKit 2.2 Windows What you see is actually the propagation of the Nachi /Blaster worm, whichexploits the Microsoft DCOM vulnerability on WindowsNT/2000/XP PC.Alexander Network Security Analyst "Francis A. Vidal" <francisv-sender-58ad63 () irc dagupan com>wrote:Yes, we are also experiencing incredible CPU load on our3640 routers. Whatcould be causing this? -----Original Message----- From: Wes Zuber [mailto:wes () uia net] Sent: Saturday, August 23, 2003 4:26 AM To: Bryan Irvine Cc: Mike Feetham; snort-users () lists sourceforge net Subject: Re: [Snort-users] RE: ICMP PING CyberKit 2.2WindowsHi there, I work for a small ISP in Southern California. Wehavefiltered off all pings that are 92 bytes in length. See this article http://www.cisco.com/en/US/products/sw/voicesw/ps556/ products_tech_note09186a00801b143a.shtml As I believe many ISP's are currently doing. We have observed that one infected machine can run the CPUload up on a2501 router to 99%. Packets start dropping at that point.So bandwidthis not so much the issue as number of packets and arprequests.Thanks, --Wes On Wednesday, August 20, 2003, at 10:36 AM, Bryan Irvinewrote:I had to switch off that alert after I received 70,000 ofthem in thefirst day. I'll switch it back on and let you know. Is the bandwidth finally going back to normal? --Bryan On Wed, 2003-08-20 at 09:32, Mike Feetham wrote:Between Monday and Tuesday we saw over 10,000 hits onour Class C.Between yesterday and today that number dropped to about 3,000.Today, we'renot seeing any. My only guess is that our ISPs are blockingthem(Allstream, and Worldcom). Has anyone else seen this behaviour? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] OnBehalf Of EricGreenberg Sent: Wednesday, August 20, 2003 9:46 AM To: nelsbels () cableone net; 'Stevo';snort-users () lists sourceforge netSubject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2WindowsWe noted this on Monday and the pings have beenincreasing at a veryhigh rate. It is concerning. We have disabled ping (and ICMPfor thatmatter) on all the servers where practical. You can do this in thefirewall(easiest solution) or from within the operating system (e.g. theLinux kernel,recompile) Regards, Eric Greenberg Chief Technical Officer NetFrameworks, Inc. http://www.NetFrameworks.com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] OnBehalf Ofnelsbels () cableone net Sent: Tuesday, August 19, 2003 11:08 PM To: 'Stevo'; snort-users () lists sourceforge net Subject: [Snort-users] RE: ICMP PING CyberKit 2.2WindowsCheck this out: (This is from incidents.org) Over the last few hours, sensors detected a remarkableincrease inICMP traffic. At this point, we assume that the traffic islinked to the'Nachi' worm:http://vil.nai.com/vil/content/v_100559.htm Theworm is alsoknown as 'Welchia' ( http://securityresponse.symantec.com/avcenter/venc/data/ w32.welchia.worm.htm l ) While the investigation is still in progress, we dididentify so farthe following characteristics: - some of the traffic is spoofed - the data content is all '170' (0xAA) - ICMP echo requests (type 8, code 0) Source-Target correlation fingerprints ICMP Data:http://isc.sans.org/images/icmpfp.png all Data:http://isc.sans.org/images/allfp.png port 135:http://isc.sans.org/images/port135fp.png Sample Packet (target IP obfuscated) 0x0000 4500 005c 2dc8 0000 7901 66a6 4349 919e E..\-...y.f.CI.. 0x0010 xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa ......3...m..... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa............Snort identifies these packets as "ICMP PING CyberKit2.2
=== message truncated === ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: RE: ICMP PING CyberKit 2.2 Windows, (continued)
- Re: RE: ICMP PING CyberKit 2.2 Windows Wes Zuber (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: ICMP PING CyberKit 2.2 Windows Yackley, Matt (Aug 19)
- RE: RE: ICMP PING CyberKit 2.2 Windows L. Christopher Luther (Aug 20)
- RE: ICMP PING CyberKit 2.2 Windows JP Vossen (Aug 21)
- RE: ICMP PING CyberKit 2.2 Windows Tony Bunce (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Alexander Hampel (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Jade E. Deane (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows twig les (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)