New echo reply exploit?

Peter Van Epp vanepp at sfu.ca
Mon Apr 7 16:40:34 GMT 2003


	After months of peace all of a sudden starting last Saturday I'm seeing
Echo Reply scans (i.e. an ICMP echo reply without a corresponding Echo request).
A favored target appears to be various DNS servers on our net (which may be 
just because they are public), with a smattering of other hosts tossed in.
Source addresses apparantly from all around the net. Is there a new exploit
of some kind out there? Anyone else seeing them (argus users can grep for 
ECR in ra output filtered on icmp)? The usual use for this has been DDOS 
zombies.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list