Michael Holstein <michael.holstein at csuohio.edu> writes:

>> Blocking ICMP between VLANs has stopped RPC viruses, that's a pretty
>> neat trick.  You must have your voodoo filters turned up to 'more magic'.
> Nope .. earlier versions of (was it Blaster or Nachi .. I forget?)
> would ping-sweep a network so as not to "waste" tcp packets on dead
> hosts (because NT has a limit on the number of 'half-open' tcp
> sockets). This in turn generated massive amounts of ICMP which many of
> us reflexively blocked -- and never found good cause to reactivate.

Nachi used fast ping sweeps; I think that Blaster only sent TCP SYNs.

Anyway the original Nachi deactivated as of 1/1/2004 and the current
problem viruses such as Sasser and Korgo, and manually initiated
PhatBot/RxBot scans do not use ping sweeps of any kind. 

