[Dshield] Cyberkit 2.2 pings.... anyone else getting them?

Johannes B. Ullrich jullrich at sans.org
Tue Dec 23 12:18:14 GMT 2003


Snort's rule for "Cyberkit 2.2" matches the pings sent by the
Nachia worm. No surprise if you get flooded by them, in particular
if you have an infected host in your proximity.

If you don't need to reply to 'ICMP Echo' requests, just drop
them. Other than that, there is not much you can do. 

Other than the bandwidth they are using, the Nachia pings by 
themselves are not dangerous. By not responding to ICMP Echo
requests, you will at least safe the bandwidth used for the response.
However, a lot of network uptime monitors use ICMP echo, so you may need
to apply some exceptions, or apply a more fine grained firewall rule.

As far as snort is concerned: There is probably not much point in
logging these events, unless you use them to track down infected systems
under your control.




On Mon, 2003-12-22 at 19:10, CLE47 at aol.com wrote:
> Has anyone figured out what the cyberkit 2.2 is and how to block them???  
> Please respond.
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031223/22f0cae3/attachment.bin


More information about the list mailing list