[Dshield] BIG Jump in Ping Sweeps
jeff-kell at utc.edu
Sun Jan 7 16:13:14 GMT 2007
Can you be a bit more specific about the ICMP?
There is a "phenomenon" several people have been watching for some time
(myself included). The characteristics are as follows:
* ICMP echo requests (type 8 subtype 0),
* raw ethernet packet length 74, IP packet length 60
* IP sequence numbers are "increasing" but not sequential
* ICMP request IDs are random
* ICMP payload is all nulls (not any known standard scan/ping tool)
* TTLs are believable (initial TTL probably 64, but TTLs consistent for
a given source)
* random but apparently spoofed sources (most samples answer ping
* randomly distributed targets within the observed address block (not
* does not appear at all in some IP blocks (not a totally random
* 1-4 attempts per scan within a few seconds
* no follow-up traffic (if answered or not)
The scans appear to come from a botnet given the diversity of sources
(but there are some clustered sources in some AS/IP blocks).
The traffic comes and goes with an initial rush start and tapering off
in the hours to follow. It started the week before Christmas, with
peaks on 12/25, 12/27, and 1/02. I have not seen a significant surge
since the Jan 2 spike but the traffic is still there.
The purpose is anybody's guess, but appears to be massive targeted
reconnaissance, most likely fingerprinting the destinations.
With that said, I still have no idea "why" unless it was a DDoS against
intrusion analysts' holiday plans :-)
More information about the list