[Dshield] ICMP increase

Johannes B. Ullrich jullrich at sans.org
Mon Aug 18 12:52:11 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


gould you please pass along a few full packets? (either off or on list)


On Mon, 2003-08-18 at 08:47, Luke Matchett wrote:
> Johannes B. Ullrich wrote:
> 
> >This message was converted from multipart/signed to ascii armored
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Content-Type: text/plain
> >Content-Transfer-Encoding: quoted-printable
> >
> >
> >Over the last few hours, we detected a remarkable increase in ICMP
> >traffic. So far I have no idea what this is about. Any insight is
> >appreciated.
> >
> >(ICMP shows up as 'port 0' in our protocol ignorant graphs. I will try
> >and pull some protocol specific data)
> >
> >http://www.dshield.org/port_report.php?port=0&recax=1&tarax=1&srcax=2&percent=N&days=1
> >
> >
> >  
> >
> About 24 hours ago my snort logs began recording the following message 
> "ICMP PING CyberKit 2.2 Windows" . I am now seeing about 2 of these a 
> minute from various IPs. I normally get about 4 snort alerts a day.
> 
> Luke
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-------BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/QMv7R1p7hYJvB/wRAhQoAKCnNRSaWWdkavR0w6q2HMiDya2d3QCgjZT+
DSRJeg1WELrn7ig/Gwl9/M0Šs
-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list