ICMP storm

Kenneth Grande, Driftsjef aspIT AS kenneth.grande at aspit.no
Tue Sep 23 14:06:32 GMT 2003


psad reports lots of icmp requests from several hosts (with an ip near
the target machine).
 
The ip of the hosts sending the icmp packets and the "victim" are
somewhat alike:
 
217.199.xx.yy offender
217.199.xx.yy target
where xx and yy vary
 
 
I have other fw's reporting icmp reuqests from other hosts with the same
pattern:
 
1.2.x.y
1.2.x.y
where x and y vary
 
anyone seen this before?
 
I get approx. 50 alerts pr. 2 hr.
 
(an example report is available below.)
 
 
Best Regards,
Kenneth.
 
 
 
=-=-=-=-=-=-=-=-=-=-=-= Tue Sep 23 15:40:47 2003 =-=-=-=-=-=-=-=-=-=-=-=
 ** psad: Suspicious traffic detected against (x.x.x.x).
 
 
               Source: 217.199.32.38
           Source DNS: [No reverse dns info available]
          Destination: x.x.x.x
         Danger level: [2] (out of 5)
 
     Current interval: Tue Sep 23 15:40:42 2003 (start)
                       Tue Sep 23 15:40:47 2003 (end)
         icmp packets: [1]
 
  Overall stats since: Fri Sep 19 16:22:49 2003
 
    chain:   interface:   tcp:   udp:   icmp:  
    input    eth0         0      0      83   
 
 


More information about the unisog mailing list