[Dshield] ping DoS?

Roberts, Chris CRoberts at Limitedbrands.com
Mon Aug 18 17:28:41 GMT 2003

We are having major internal problems with this today, infected machined
(NEWLY infected ones) TCP_Probe_MSRPC ones)

new variant ? (was all quiet from Friday until this morning)

-----Original Message-----
From: Matthew Harrell [mailto:mhar at plex.com]
Sent: Monday, August 18, 2003 12:47 PM
To: Dshield Mailing List
Subject: [Dshield] ping DoS?

At about 12:15 PM today, our internal WAN (includes multiple customers on
their own subnets) seems to have been hit by some kind of ping DoS worm. 
In my firewall logs, I saw HUGE amounts of pings coming from multiple hosts
in all (or at least most) of our internal subnets.  The pings seem to
target nearby subnets (192.168.x.x, and some 192.165.x.x are what I saw
most of).  We are running Symantec Enterprise Firewall, which has a ping
proxy.  This proxy on both firewalls was overwhelmed, and this resulted in
a practical DoS on our ASP servers.  I added a ping deny filter on the
internal interfaces on our firewalls, and things are accessible now, but
we're still working on tracing down these pings.  Does anyone know of a
worm, or anything else, that would do this?

Matt Harrell
Plexus Systems
mhar at plex.com 
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list