Curious, starting at 10:57 Mountain Time today I'm being flooded with ICMP pings from different IP's port 0 to port 0, most domains belonging to my ISP. Over 700 the last 6 hours alone. My ISP mentioned a malfunction by folks using NETGEAR 4-port Home Networking Router Model RP614 4-Port Cable/DSL Router with 10/100 Mbps Switch. If that's true, someone else might see the same thing on their logs (I hope). I mean, what are the odds 700 different IP's use that particular router in this time frame. Do routers generate new IP's like that? If so, that might explain it. Wondered if I was being singled out.

Thanks, Rickster

:o Possibly from worm - see this thread:

http://www.wilderssecurity.com/showthread.php?t=12597;start=msg80983#msg80983

Thanks very much AplusWebMaster-Man! That explains it. Looks like the year of the Worm.
In a week we went from MSBlaster A to D and looks like they plan to run the whole alphabet.

Very Grateful To You, Rickster

WOW!!!

I have had 113 ICMP type 8(echo)code0 entries in LnS firewall in 45 minutes!
That's a lot for me.

This worm appears to be more active.
I didn't see this much activity last week!

"the Year of the worm"?
I agree there!

wow, I hadn't checked in on the "traffic log" of Sygate lately.. no kidding, lots of blocked pings in there!

Hi Tester and Detox, been a long time. When I came in this morning I cleared and backed-up a log with over 2,400 hits accrued in 24 hours, 95% ICMP pings and 90% being from U.S. domains in my ISP. It makes me wonder how ISP specific distribution is. My ISP is Adelphia, so the extraordinary volume sourced from their domains seems comparatively high - or is it? 800 today in the past 5-hours.

Best Regards, Rickster.

I have to say the transition in the worm traffic from TCP port 135 to Pings was certainly rapid and impressive... I've had 737 pings in 8 hours, and virtually all of them from people on my local ISP service.

My ISP was one of those that started blocking inbound TCP port 135 at their perimeter a few days ago, so the only 135 traffic I've seen since then was from infected systems of people on my ISP's network.

But this change is really amazing.

My stats from the log file are showing the same thing,

Roughly I'm getting 100 icmp echo requests(8) for every 70 port 135 probes.

Could be pre-mature, but since 2:00 pm MT, pings fell from 65 to 85 per hour to 8 to 10 per hour. I wonder if the worm is expiring or if my ISP is starting to block infected IP's or domains. Anyone else notice the sharp drop-off?

Always Curious, Rickster

Rickster,

-{ Quote: "I wonder if the worm is expiring or if my ISP is starting to block infected IP's or domains. Anyone else notice the sharp drop-off?" }-

Not really: 100 times last 60 minutes over here ;)

regards.

paul

I simply disable logging of these entries.
LNS blocks them, but i don't want to be bothered with the logs

I shot an e-mail to a tech at my ISP and will let you know if they respond, but from what Paul said, the worm isn't expiring, so my ISP might be intervening. I find that hard to believe though. Remember the BS they told me early on about it having something to do with a malfunctioning router?

A two-minute visit to Wilders and I knew exactly what was going on and had to inform my ISP - which they acknowledged via e-mail much later. Where do ISP's get their people? A shoe store? (No offense to people who sell shoes - first job I got out of the army). They should be reading Wilders everyday instead of comic books.

Wasn't a big deal, since my firewall is doing its job, I'm patched and could care less how big the log gets, but the sheer volume was having a notable effect on speed & connectivity within my ISP. At the on-set my first concern was whether I was being singled out, but you folks answered that one in a few seconds.

Best Regards and Thanks All - Rickster

Hm well wouldn't it be possible that 1 or 2 (maybe more?)people on your ISP network cleaned themselves of the worm thereby cutting down the pings in your firewall log? Just a thought - thinking positive 8)

Well, to their credit they're taking proactive measures and this is the reponse they issued...and it seems to be working:

"In order to continue stabilizing our network, Adelphia will be taking additional measures that will impact a small percentage of Power Link customers that use ping commands. Low-level pings will be blocked for an undetermined amount of time. If you use pings, you may not be able to ping anything outside the Adelphia network while this block is in place. This will only affect the small percentage of Power Link customers who use pings. As soon as the spread of the worm is under control and our network is stabilized, we will remove this block. We regret to have to put this block into effect, but it is crucial to stabilize the network and reduce the number of requests currently flooding our system due to the virus"

Regards, Rickster

My ISP removed the perimeter block they had on incoming TCP port 135 earlier today, but, inspite of some of those appearing in my fw log, the pings still outnumber them 25 to 1.

As much as I like to log these things, (just so I'll see the trends myself that people are asking about on the forums), I finally had enough and created a system-wide block/nolog rule for both incoming pings and 135/TCP.

I glance at my log viewer every couple hours just to see what's going on and it was almost impossible to see anything other than the thousands of pings and hundreds of port 135 hits.

You know what, silence really is golden. ;)