Security Basics mailing list archives

Re: IP flood?

From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Wed, 17 Sep 2003 15:36:51 -0600

On Wed, Sep 17, 2003 at 09:01:18AM -0700, EricBrown wrote:

He call tech support, and they changed his dynamic IP to a different
one, and this stopped the activity for about an hour.  I uninstalled
an older version of Zone Alarm, and installed the newest one, and
the activity stopped for about 2 hours.  His Norton's anti-virus is
fully updated.  I've run NMap and LANguard network scanner.  With
zone alarm on, he doesn't show up.  Without zone alarm, no ports
other than what you would expect on a Win98 machine (no 31337).  I
ran grc.com's Shields Up and got nothing.


Sounds like the neighborhood has a case of W32/Nachi-A.  It
methodically pings a good deal of IP addresses.  In effect it is guess
this guy's (and everyone else's) IP address.

Can we stop the IP flood?  Can or should the ISP?  Or should he just
shut off notification in Zone Alarm so he doesn't see the messages.


The only way you are going to stop the flood is: 

 - everyone disinfects there machine and applies a fix for MS03-26
 - your ISP blocks ICMP echo requests from infected machines
 - your firewall blocks ICMP echo requests from infected machines

If you can alter ZoneAlarm so that this particular kind of ICMP echo
request doesn't generate a notification, that will be your best bet.
Or just turn of the Ping notification.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Joyously Canadian               Computer Science

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

IP flood? Eric Brown (Sep 17)
- Re: IP flood? Brad Arlt (Sep 17)
- Re: IP flood? Pat Moffitt (Sep 17)
- <Possible follow-ups>
- RE: IP flood? Wright, Jeremy (Sep 17)
- RE: IP flood? Chris Merkel (Sep 17)