Ping City - Am I Special?

Discussion in 'other security issues & news' started by Rickster, Aug 18, 2003.

Thread Status:
Not open for further replies.
  1. Rickster

    Rickster Guest

    Curious, starting at 10:57 Mountain Time today I'm being flooded with ICMP pings from different IP's port 0 to port 0, most domains belonging to my ISP. Over 700 the last 6 hours alone. My ISP mentioned a malfunction by folks using NETGEAR 4-port Home Networking Router Model RP614 4-Port Cable/DSL Router with 10/100 Mbps Switch. If that's true, someone else might see the same thing on their logs (I hope). I mean, what are the odds 700 different IP's use that particular router in this time frame. Do routers generate new IP's like that? If so, that might explain it. Wondered if I was being singled out.

    Thanks, Rickster
     
  2. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  3. Rickster

    Rickster Guest

    Thanks very much AplusWebMaster-Man! That explains it. Looks like the year of the Worm.
    In a week we went from MSBlaster A to D and looks like they plan to run the whole alphabet.

    Very Grateful To You, Rickster
     
  4. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    WOW!!!

    I have had 113 ICMP type 8(echo)code0 entries in LnS firewall in 45 minutes!
    That's a lot for me.

    This worm appears to be more active.
    I didn't see this much activity last week!

    "the Year of the worm"?
    I agree there!
     
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    wow, I hadn't checked in on the "traffic log" of Sygate lately.. no kidding, lots of blocked pings in there!
     
  6. Rickster

    Rickster Guest

    Hi Tester and Detox, been a long time. When I came in this morning I cleared and backed-up a log with over 2,400 hits accrued in 24 hours, 95% ICMP pings and 90% being from U.S. domains in my ISP. It makes me wonder how ISP specific distribution is. My ISP is Adelphia, so the extraordinary volume sourced from their domains seems comparatively high - or is it? 800 today in the past 5-hours.

    Best Regards, Rickster.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    I have to say the transition in the worm traffic from TCP port 135 to Pings was certainly rapid and impressive... I've had 737 pings in 8 hours, and virtually all of them from people on my local ISP service.

    My ISP was one of those that started blocking inbound TCP port 135 at their perimeter a few days ago, so the only 135 traffic I've seen since then was from infected systems of people on my ISP's network.

    But this change is really amazing.
     
  8. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    My stats from the log file are showing the same thing,

    Roughly I'm getting 100 icmp echo requests(:cool: for every 70 port 135 probes.
     
  9. Rickster

    Rickster Guest

    Could be pre-mature, but since 2:00 pm MT, pings fell from 65 to 85 per hour to 8 to 10 per hour. I wonder if the worm is expiring or if my ISP is starting to block infected IP's or domains. Anyone else notice the sharp drop-off?

    Always Curious, Rickster
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Rickster,

    Not really: 100 times last 60 minutes over here ;)

    regards.

    paul
     
  11. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    I simply disable logging of these entries.
    LNS blocks them, but i don't want to be bothered with the logs
     
  12. Rickster

    Rickster Guest

    I shot an e-mail to a tech at my ISP and will let you know if they respond, but from what Paul said, the worm isn't expiring, so my ISP might be intervening. I find that hard to believe though. Remember the BS they told me early on about it having something to do with a malfunctioning router?

    A two-minute visit to Wilders and I knew exactly what was going on and had to inform my ISP - which they acknowledged via e-mail much later. Where do ISP's get their people? A shoe store? (No offense to people who sell shoes - first job I got out of the army). They should be reading Wilders everyday instead of comic books.

    Wasn't a big deal, since my firewall is doing its job, I'm patched and could care less how big the log gets, but the sheer volume was having a notable effect on speed & connectivity within my ISP. At the on-set my first concern was whether I was being singled out, but you folks answered that one in a few seconds.

    Best Regards and Thanks All - Rickster
     
  13. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hm well wouldn't it be possible that 1 or 2 (maybe more?)people on your ISP network cleaned themselves of the worm thereby cutting down the pings in your firewall log? Just a thought - thinking positive :cool:
     
  14. Rickster

    Rickster Guest

    Well, to their credit they're taking proactive measures and this is the reponse they issued...and it seems to be working:

    "In order to continue stabilizing our network, Adelphia will be taking additional measures that will impact a small percentage of Power Link customers that use ping commands. Low-level pings will be blocked for an undetermined amount of time. If you use pings, you may not be able to ping anything outside the Adelphia network while this block is in place. This will only affect the small percentage of Power Link customers who use pings. As soon as the spread of the worm is under control and our network is stabilized, we will remove this block. We regret to have to put this block into effect, but it is crucial to stabilize the network and reduce the number of requests currently flooding our system due to the virus"

    Regards, Rickster
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    My ISP removed the perimeter block they had on incoming TCP port 135 earlier today, but, inspite of some of those appearing in my fw log, the pings still outnumber them 25 to 1.

    As much as I like to log these things, (just so I'll see the trends myself that people are asking about on the forums), I finally had enough and created a system-wide block/nolog rule for both incoming pings and 135/TCP.

    I glance at my log viewer every couple hours just to see what's going on and it was almost impossible to see anything other than the thousands of pings and hundreds of port 135 hits.

    You know what, silence really is golden. ;)
     
Loading...
Thread Status:
Not open for further replies.