Security Basics mailing list archives
Re: IP flood?
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Wed, 17 Sep 2003 15:36:51 -0600
On Wed, Sep 17, 2003 at 09:01:18AM -0700, EricBrown wrote:
He call tech support, and they changed his dynamic IP to a different one, and this stopped the activity for about an hour. I uninstalled an older version of Zone Alarm, and installed the newest one, and the activity stopped for about 2 hours. His Norton's anti-virus is fully updated. I've run NMap and LANguard network scanner. With zone alarm on, he doesn't show up. Without zone alarm, no ports other than what you would expect on a Win98 machine (no 31337). I ran grc.com's Shields Up and got nothing.
Sounds like the neighborhood has a case of W32/Nachi-A. It methodically pings a good deal of IP addresses. In effect it is guess this guy's (and everyone else's) IP address.
Can we stop the IP flood? Can or should the ISP? Or should he just shut off notification in Zone Alarm so he doesn't see the messages.
The only way you are going to stop the flood is: - everyone disinfects there machine and applies a fix for MS03-26 - your ISP blocks ICMP echo requests from infected machines - your firewall blocks ICMP echo requests from infected machines If you can alter ZoneAlarm so that this particular kind of ICMP echo request doesn't generate a notification, that will be your best bet. Or just turn of the Ping notification. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) Joyously Canadian Computer Science --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- IP flood? Eric Brown (Sep 17)
- Re: IP flood? Brad Arlt (Sep 17)
- Re: IP flood? Pat Moffitt (Sep 17)
- <Possible follow-ups>
- RE: IP flood? Wright, Jeremy (Sep 17)
- RE: IP flood? Chris Merkel (Sep 17)