[unisog] ICMP Worm activity?

DelVecchio, Anthony R. ARDELVECCHIO at stthomas.edu
Mon Nov 22 21:55:23 GMT 2004


The source addresses and the destination addresses are not ours. Fortuntely
I don't let source spoofed addresses off campus.  Right now I'm moving my
anti-spoof ACL from vlan to vlan in hopes that I can find the network the
traffic is coming from.

With my luck, it's probably one of our law students with a compromised
notebook and the student will leave before I get a bead on it.



-----Original Message-----
From: Joel Gridley [mailto:jarmaug at tufts.edu] 
Sent: Monday, November 22, 2004 2:24 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] ICMP Worm activity?



When you say "randomly spoofs the source", do you mean random source
IP's from the local network? Or do you mean completely random?

We've seen the spoofing on the local subnet, about 6 months or so ago.
The name of the worm escapes me, but I do recall our networkers having
to scramble and use non-usual tactics to figure out the culprit due
to them spoofing the local subnet.

-j



On Mon, 22 Nov 2004, DelVecchio, Anthony R. allegedly wrote:

> Is anyone aware of worm activity that randomly spoofs the source address,
> and the ICMP type in a DoS?
>
>
>
>
>
> Tony DelVecchio
>
> Network Security Manager
>
> University of St Thomas
>
> St Paul, Mn
>
>
>
>
>
>
>
>
>
>
>
>
>
>
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list