[Dshield] BIG Jump in Ping Sweeps

Jon R. Kibler Jon.Kibler at aset.com
Sat Jan 6 23:16:32 GMT 2007


Valdis.Kletnieks at vt.edu wrote:
<SNIP!>
> 
> Did you remember to check whether the *other* blocked traffic has *dropped*,
> leaving the constant ICMP traffic a larger portion of a smaller pie?
> 
> (I've seen this before - somebody was wondering why 100% of his blocked
> traffic was UDP - turned out that his *real* problem was that the blocks
> on TCP traffic had gotten disabled due to a config whoopsie....)

Valdis,

Good point. However, I definitely checked before writing! 

The report I get every day has been fairly consistent for all types of traffic:
	tcp:	~5 to 7 blocks per IP per hour (about 65% of blocked traffic)
	udp:	~0.3 to 1.5 blocks per IP per hour (about 5% of blocked traffic)
	icmp:	~2 to 3 blocks per IP per hour (about 30% of blocked traffic)

However, yesterday, ICMP rates were as high as 15/hr/IP for several hours.

Another interesting side note: Going back and reviewing my reports in detail, I found that on Jan 1st, there was a doubling of UDP traffic that day -- all accounted for by a 250x jump in 135/udp traffic.

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list