[unisog] ICMP Worm activity?

Dave Dittrich dittrich at u.washington.edu
Mon Nov 22 21:00:04 GMT 2004

> Is anyone aware of worm activity that randomly spoofs the source address,
> and the ICMP type in a DoS?

I think you might be talking about two different things.  There are
plenty of DDoS tools that do ICMP floods (sometimes forging lots of
parts of the packet), but I don't know of any worms that *propagate*
via ICMP.  It may not be a worm, but perhaps just a "blended threat"
that propagates widely, like Agobot/Phatbot.

Dave Dittrich                           Information Assurance Researcher,
dittrich at u.washington.edu               The iSchool
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5

More information about the unisog mailing list