[Dshield] BIG Jump in Ping Sweeps

Jeff Kell jeff-kell at utc.edu
Sun Jan 7 16:13:14 GMT 2007

Can you be a bit more specific about the ICMP?

There is a "phenomenon" several people have been watching for some time
(myself included).  The characteristics are as follows:

* ICMP echo requests (type 8 subtype 0),
* raw ethernet packet length 74, IP packet length 60
* IP sequence numbers are "increasing" but not sequential
* ICMP request IDs are random
* ICMP payload is all nulls (not any known standard scan/ping tool)
* TTLs are believable (initial TTL probably 64, but TTLs consistent for
a given source)
* random but apparently spoofed sources (most samples answer ping
* randomly distributed targets within the observed address block (not
sequential scan)
* does not appear at all in some IP blocks (not a totally random
destination scan)
* 1-4 attempts per scan within a few seconds
* no follow-up traffic (if answered or not)

The scans appear to come from a botnet given the diversity of sources
(but there are some clustered sources in some AS/IP blocks).

The traffic comes and goes with an initial rush start and tapering off
in the hours to follow.  It started the week before Christmas, with
peaks on 12/25, 12/27, and 1/02.  I have not seen a significant surge
since the  Jan 2 spike but the traffic is still there.
The purpose is anybody's guess, but appears to be massive targeted
reconnaissance, most likely fingerprinting the destinations.

With that said, I still have no idea "why" unless it was a DDoS against
intrusion analysts' holiday plans :-)


More information about the list mailing list