[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] [UPDATE] ping floods
- To: <B3r3n@argosnet.com>, <full-disclosure@lists.netsys.com>
- Subject: RE: [Full-Disclosure] [UPDATE] ping floods
- From: "Abraham, Antony (Cognizant)" <Antony@blr.cognizant.com>
- Date: Mon, 18 Aug 2003 20:59:33 +0530
All,
It might be this new worm, have a look at
http://vil.nai.com/vil/content/v_100559.htm
New RPC worm which will generate lot of ICMP traffic.
Thanks,
Antony Abraham
-----Original Message-----
From: B3r3n@argosnet.com [mailto:B3r3n@argosnet.com]
Sent: Monday, August 18, 2003 6:56 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] [UPDATE] ping floods
All,
What we have here at the moment is the following:
1) IntraNet machines are pinging to random IP addresses (both targetting
our IntraNet and outside)
2) From time to time, when a particular machine is pinging from a
subnet, it appears some new machines on that subnet are starting to ping
too.
3) these pings, grouped together, creates flooding (even if singlely
they seems to be ping with a 1/3s TTL delay) impacting the whole
IntraNet.
4) Checking a machine part of this ping "flood", we found nothing
suspicious (no unknown program, ...) but we dont master Windows
technology. The box was antivirused with a well-known vendor solution,
up-to-date in its virus definitions.
Our assumptions is this might be a brand new worm, not yet known to
antivirus companies (no news/alerts on their sites).
To solve, we applied on our routers routing the ICMP requests an
access-list to bar these requests. This globally solved the problem
until we can be able to solve each machine.
Thanks
Brgrds
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information.
If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly
prohibited and may be unlawful.
Visit us at http://www.cognizant.com