[Dshield] ICMP increase

Luke Matchett lukematchett at optusnet.com.au
Mon Aug 18 12:47:04 GMT 2003


Johannes B. Ullrich wrote:

>This message was converted from multipart/signed to ascii armored
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Content-Type: text/plain
>Content-Transfer-Encoding: quoted-printable
>
>
>Over the last few hours, we detected a remarkable increase in ICMP
>traffic. So far I have no idea what this is about. Any insight is
>appreciated.
>
>(ICMP shows up as 'port 0' in our protocol ignorant graphs. I will try
>and pull some protocol specific data)
>
>http://www.dshield.org/port_report.php?port=0&recax=1&tarax=1&srcax=2&percent=N&days=1
>
>
>  
>
About 24 hours ago my snort logs began recording the following message 
"ICMP PING CyberKit 2.2 Windows" . I am now seeing about 2 of these a 
minute from various IPs. I normally get about 4 snort alerts a day.

Luke





More information about the list mailing list