lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <E16DE2F9D2ECDA4B9C8A3BCD744B9D7F012B91EC@ctsinblrsxub.cts.com>
From: Antony at blr.cognizant.com (Abraham, Antony  (Cognizant))
Subject: [UPDATE] ping floods

All,

It might be this new worm, have a look at 

http://vil.nai.com/vil/content/v_100559.htm 

New RPC worm which will generate lot of ICMP traffic.

Thanks,

Antony Abraham 

-----Original Message-----
From: B3r3n@...osnet.com [mailto:B3r3n@...osnet.com] 
Sent: Monday, August 18, 2003 6:56 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] [UPDATE] ping floods

All,

What we have here at the moment is the following:

1) IntraNet machines are pinging to random IP addresses (both targetting
our IntraNet and outside)

2) From time to time, when a particular machine is pinging from a
subnet, it appears some new machines on that subnet are starting to ping
too.

3) these pings, grouped together, creates flooding (even if singlely
they seems to be ping with a 1/3s TTL delay) impacting the whole
IntraNet.

4) Checking a machine part of this ping "flood", we found nothing
suspicious (no unknown program, ...) but we dont master Windows
technology. The box was antivirused with a well-known vendor solution,
up-to-date in its virus definitions.

Our assumptions is this might be a brand new worm, not yet known to
antivirus companies (no news/alerts on their sites).

To solve, we applied on our routers routing the ICMP requests an
access-list to bar these requests. This globally solved the problem
until we can be able to solve each machine.

Thanks

Brgrds

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030818/a97d4e2e/InterScan_Disclaimer.txt

Powered by blists - more mailing lists