[Dshield] BIG Jump in Ping Sweeps

Jon R. Kibler Jon.Kibler at aset.com
Sat Jan 6 23:16:32 GMT 2007

Valdis.Kletnieks at vt.edu wrote:
> Did you remember to check whether the *other* blocked traffic has *dropped*,
> leaving the constant ICMP traffic a larger portion of a smaller pie?
> (I've seen this before - somebody was wondering why 100% of his blocked
> traffic was UDP - turned out that his *real* problem was that the blocks
> on TCP traffic had gotten disabled due to a config whoopsie....)


Good point. However, I definitely checked before writing! 

The report I get every day has been fairly consistent for all types of traffic:
	tcp:	~5 to 7 blocks per IP per hour (about 65% of blocked traffic)
	udp:	~0.3 to 1.5 blocks per IP per hour (about 5% of blocked traffic)
	icmp:	~2 to 3 blocks per IP per hour (about 30% of blocked traffic)

However, yesterday, ICMP rates were as high as 15/hr/IP for several hours.

Another interesting side note: Going back and reviewing my reports in detail, I found that on Jan 1st, there was a doubling of UDP traffic that day -- all accounted for by a 250x jump in 135/udp traffic.

