Snort mailing list archives

RE: RE: ICMP PING CyberKit 2.2 Windows

From: twig les <twigles () yahoo com>
Date: Mon, 25 Aug 2003 21:26:52 -0700 (PDT)

Yes we got creamed by this crap too.  "Good worm" my butt.  The
reason you're seeing the CPU spike is the sheer volume of tiny
packets.  Tiny packets, from a router's point of view, are a
pain in the neck since they (the routers) have to route them (or
CEF/silicon/fast switch, whatever) and annoying worms can send
tons of them.

I would follow jade.dean's advice and block the pings on line 1
of your inbound border acls.

--- "Francis A. Vidal" <francisv-sender-58ad63 () irc dagupan com>
wrote:

I noticed that even with the workarounds in place (from
Cisco.com), CPU
process is still high when a client infected with Nachi starts
pinging
random addresses. 

-----Original Message-----
From: Jade E. Deane [mailto:jade.deane () riven net] 
Sent: Tuesday, August 26, 2003 11:11 AM
To: Francis A. Vidal
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows

Does the exploit directly affect the routers?  Well, no. 
However, by
way of the amount of traffic and any ACLs in place, you could
increase
the bruden on any infrastructure components in your network.

If you're using Cisco hardware, depending on the model, I
would suggest
you compile your ACLs to avoid process switching overhead.

Regards,
Jade

On Mon, 2003-08-25 at 21:25, Francis A. Vidal wrote:

Yes, I know but how does this directly affect the routers?

-----Original Message-----
From: alexanderhampel () netscape net

[mailto:alexanderhampel () netscape net]

Sent: Tuesday, August 26, 2003 8:57 AM
To: francisv-dated-1062461815.afb71c () irc dagupan com;
snort-users () lists sourceforge net
Cc: nelsbels () cableone net
Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2

Windows


ICMP PING CyberKit 2.2 Windows

What you see is actually the propagation of the Nachi /

Blaster worm,
which

exploits the Microsoft DCOM vulnerability on Windows

NT/2000/XP PC.


Alexander
Network Security Analyst


"Francis A. Vidal" <francisv-sender-58ad63 () irc dagupan com>

wrote:

Yes, we are also experiencing incredible CPU load on our

3640 routers.
What

could be causing this?

-----Original Message-----
From: Wes Zuber [mailto:wes () uia net]
Sent: Saturday, August 23, 2003 4:26 AM
To: Bryan Irvine
Cc: Mike Feetham; snort-users () lists sourceforge net
Subject: Re: [Snort-users] RE: ICMP PING CyberKit 2.2

Windows


Hi there, I work for a small ISP in Southern California. We

have

filtered off all pings that are 92 bytes in length.

See this article
http://www.cisco.com/en/US/products/sw/voicesw/ps556/
products_tech_note09186a00801b143a.shtml

As I believe many ISP's are currently doing.

We have observed that one infected machine can run the CPU

load up on a

2501 router to 99%. Packets start dropping at that point.

So bandwidth

is not so much the issue as number of packets and arp

requests.


Thanks,

--Wes

On Wednesday, August 20, 2003, at 10:36  AM, Bryan Irvine

wrote:

I had to switch off that alert after I received 70,000 of

them in the

first day.  I'll switch it back on and let you know.

Is the bandwidth finally going back to normal?

--Bryan

On Wed, 2003-08-20 at 09:32, Mike Feetham wrote:

Between Monday and Tuesday we saw over 10,000 hits on

our Class C.

Between
yesterday and today that number dropped to about 3,000.

Today, we're

not
seeing any.  My only guess is that our ISPs are blocking

them

(Allstream,
and Worldcom).  Has anyone else seen this behaviour?


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On

Behalf Of Eric

Greenberg
Sent: Wednesday, August 20, 2003 9:46 AM
To: nelsbels () cableone net; 'Stevo';

snort-users () lists sourceforge net

Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2

Windows


We noted this on Monday and the pings have been

increasing at a very

high
rate. It is concerning. We have disabled ping (and ICMP

for that

matter) on
all the servers where practical. You can do this in the

firewall

(easiest
solution) or from within the operating system (e.g. the

Linux kernel,

recompile)

Regards,

Eric Greenberg
Chief Technical Officer
NetFrameworks, Inc.
http://www.NetFrameworks.com

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On

Behalf Of

nelsbels () cableone net
Sent: Tuesday, August 19, 2003 11:08 PM
To: 'Stevo'; snort-users () lists sourceforge net
Subject: [Snort-users] RE: ICMP PING CyberKit 2.2

Windows



Check this out: (This is from incidents.org)

Over the last few hours, sensors detected a remarkable

increase in

ICMP
traffic. At this point, we assume that the traffic is

linked to the

'Nachi'
worm:http://vil.nai.com/vil/content/v_100559.htm The

worm is also

known as
'Welchia' (
http://securityresponse.symantec.com/avcenter/venc/data/
w32.welchia.worm.htm
l )

While the investigation is still in progress, we did

identify so far

the
following characteristics:

- some of the traffic is spoofed
- the data content is all '170' (0xAA)
- ICMP echo requests (type 8, code 0)

Source-Target correlation fingerprints ICMP
Data:http://isc.sans.org/images/icmpfp.png
all Data:http://isc.sans.org/images/allfp.png
port 135:http://isc.sans.org/images/port135fp.png

Sample Packet
(target IP obfuscated)

0x0000   4500 005c 2dc8 0000 7901 66a6 4349 919e
E..\-...y.f.CI..
0x0010   xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa
......3...m.....
0x0020   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
0x0030   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
0x0040   aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
................
0x0050   aaaa aaaa aaaa aaaa aaaa aaaa

............


Snort identifies these packets as "ICMP PING CyberKit

2.2

=== message truncated ===


=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: RE: ICMP PING CyberKit 2.2 Windows, (continued)
- - - Re: RE: ICMP PING CyberKit 2.2 Windows Wes Zuber (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: ICMP PING CyberKit 2.2 Windows Yackley, Matt (Aug 19)
- RE: RE: ICMP PING CyberKit 2.2 Windows L. Christopher Luther (Aug 20)
- RE: ICMP PING CyberKit 2.2 Windows JP Vossen (Aug 21)
- RE: ICMP PING CyberKit 2.2 Windows Tony Bunce (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Alexander Hampel (Aug 25)
  - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Jade E. Deane (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
    - RE: RE: ICMP PING CyberKit 2.2 Windows twig les (Aug 25)