AW: Strange ICMP

Hy Ron,

that's from the Sasser.D/.E/.F-Wurm. From Router-Side u can limit the 
icmp-rate, but it's better to patch the infected Systems over a SUS-Server or 
manually...

hope this helps.
chris

-----Ursprüngliche Nachricht-----
Von: intrusions-bounces@xxxxxxxxxxxxxx 
[mailto:intrusions-bounces@xxxxxxxxxxxxxx] Im Auftrag von Ron Shuck
Gesendet: Dienstag, 18. Mai 2004 16:49
An: snort-users@xxxxxxxxxxxxxxxxxxxxx; intrusions@xxxxxxxxxxxxxx
Betreff: [Intrusions] Strange ICMP


Hi,
 
I am detecting an increased amount of ICMP Ping traffic. The strange
thing is that there are several sources that are hitting us about 1000
times a week. All of these sources have a last octet of some form of 36
and 37.
 
63.163.102.36 & 37
216.34.77.36 & 37
64.209.232.36 & 37
61.213.167.236 & 237
193.95.144.136 & 137
 
These are from different ISPs and in a couple countries. The destination
is on a Cable Modem that has no inbound access. It's not causing an
issue, it's just anomalous.

Anyone else seeing this kind of traffic, or have any ideas on the
origin?


Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
Buchanan Associates - A Technology Company in the People Business
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions