New echo reply exploit?
Peter Van Epp
vanepp at sfu.ca
Mon Apr 7 16:40:34 GMT 2003
After months of peace all of a sudden starting last Saturday I'm seeing
Echo Reply scans (i.e. an ICMP echo reply without a corresponding Echo request).
A favored target appears to be various DNS servers on our net (which may be
just because they are public), with a smattering of other hosts tossed in.
Source addresses apparantly from all around the net. Is there a new exploit
of some kind out there? Anyone else seeing them (argus users can grep for
ECR in ra output filtered on icmp)? The usual use for this has been DDOS
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog