Strato.net

Hi ,
For a few days I've been getting bombarded with incoming Echo Requests from strato.net. It's basically constant.
I looked at their web page, and can't figure out why they would be doing this. I've never been there before.
Can any one explain this to me?

Thanks,
Douglas

[LowWaterMark]

Hi Douglas,

I know you've stated what appears to be a complete description of the occurrence, however it is always helpful to actually include several examples right from the full firewall log. Sometimes there is some small and subtle thing that the log will show that isn't readily apparant from a text description.

Hi LWM,
Thanks for responding.
The traffic has died down quite a bit, but it's still happening. The log is for about 10 minutes. This is now fairly normal.
BTW, I googled about echo requests, trying to learn, but I didn't do a very good job. All I really saw was a claim that worms on other people's computers can cause this. True?

Regards,
Douglas

[LowWaterMark]

Yes, that is most probably (+99% likely) Worm related activity. The worm Nachi (aka. Welchia, and other names) has been out a few months now. The way it usually works is after infecting a system, it pings other systems in the same network range looking for other systems to infect. It use an RPC DCOM exploit to get into systems that have that running, not patched to the specific vulnerability and which are unprotected by any firewall mechanism.

Notice that the source addresses are all (mostly) different. It isn't strato.net (as in the web server at that name) that is doing this, it is individual users at different IP addresses (probably customers of theirs if they are an ISP).

Here's some reading on the worm:

http://www.sophos.com/virusinfo/analyses/w32nachia.html

Many thanks LWM. Much clearer now.
Best Regards,
Douglas