[Dshield] ICMP increase + another strange probe

Jon R. Kibler Jon.Kibler at aset.com
Mon Aug 18 13:52:43 GMT 2003


Greetings:

We noticed a BIG jump in ICMP early this morning too. Coming from all sorts of IP addresses. Hits occurring about every 5 to 30 secs.

We block at our border router all incoming ICMP traffic except for "Echo Reply", "Destination Unreachable", and "Time Exceeded." We also log all outgoing "Echo Requests". These tactics serve two purposes: 1) Blocks incoming probes while allowing receipt of required responses; 2) Gives early warning any possible local infections. Suggest others may want to consider same.

We have also got another "interesting" event. We are getting probes about once a minute to port 21826 on an unallocated IP in our netblock. The probes originate from a wide variety of IP addresses and are always from port 44429. Clearly these packets are spoofed. As they are blocked at our router, I cannot give any other details such as a packet dump.

Has anyone else seen such a probe or have any idea what may generate it?

Thanks!
Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC USA



"Johannes B. Ullrich" wrote:
> 
> This message was converted from multipart/signed to ascii armored
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> 
> gould you please pass along a few full packets? (either off or on list)
> 
> On Mon, 2003-08-18 at 08:47, Luke Matchett wrote:
> > Johannes B. Ullrich wrote:
> >
> > >This message was converted from multipart/signed to ascii armored
> > >-----BEGIN PGP SIGNED MESSAGE-----
> > >Hash: SHA1
> > >
> > >Content-Type: text/plain
> > >Content-Transfer-Encoding: quoted-printable
> > >
> > >
> > >Over the last few hours, we detected a remarkable increase in ICMP
> > >traffic. So far I have no idea what this is about. Any insight is
> > >appreciated.
> > >
> > >(ICMP shows up as 'port 0' in our protocol ignorant graphs. I will try
> > >and pull some protocol specific data)
> > >
> > >http://www.dshield.org/port_report.php?port=0&recax=1&tarax=1&srcax=2&percent=N&days=1
> > >
> > >
> > >
> > >
> > About 24 hours ago my snort logs began recording the following message
> > "ICMP PING CyberKit 2.2 Windows" . I am now seeing about 2 of these a
> > minute from various IPs. I normally get about 4 snort alerts a day.
> >
> > Luke
> >
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> --
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
> 
> -------BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQA/QMv7R1p7hYJvB/wRAhQoAKCnNRSaWWdkavR0w6q2HMiDya2d3QCgjZT+
> DSRJeg1WELrn7ig/Gwl9/M0Šs
> -----END PGP SIGNATURE-----
> 
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list