[Dshield] New ICMP Scans?

Rick Klinge rick at jaray.net
Mon Jan 12 15:47:56 GMT 2004


Well if you are using comcast as your provider it is very likely that they
are scanning for open mail servers etc.  IMHO comcast doesn't secure any of
there systems from abuse and they run them wide open for anyone to relay
mail through.. At least that's why a lot of admins have most of comcast
blacklisted.  There abuse department / noc is non existent..

Hth,

~Rick

> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of tim0707 at comcast.net
> Sent: Monday, January 12, 2004 9:27 AM - FamHost
> To: list at dshield.org
> Subject: [Dshield] New ICMP Scans?
> 
> 
> Over the weekend, I saw a huge amount of ICMP echo requests 
> with a payload of EEEEEEE...  
> 
> Here's what the packet looked like:
> 
> 4500 003c 70fd 0000 2d01 78b6 d240 2d40
> xxxx ffb6 0800 932b 0200 0e80 4545 4545
> 4545 4545 4545 4545 4545 4545 4545 4545
> 4545 4545 4545 4545 4545 4545
> 
> I received about 500,000 alerts on the 11th.  The part that 
> has me curious is that the scans were very similar to Nachi 
> scans in that they were sequential.  They all triggered the 
> eEye Retina Scan alert on my sensor, because of the payload, 
> but I'm not sure what they are. 
> 
> Most of the traffic has been coming from Tawain, but I have 
> seen some from Sweden and Romania too.
> 
> Has anyone else been seeing this kind of traffic recently?  
> What do you think it is?
> 
> Thanks,
> Tim Kroeger
> 

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list