beta.13 (and beta.12) insect

Neil Long neil.long at computing-services.oxford.ac.uk
Mon Aug 25 12:24:26 EDT 2003



> On Mon, 2003-08-25 at 17:12:34 +0100, Neil Long proclaimed...
>
> > Just a thought - are you having major icmp floods with these MS-RPC
worms?
> >
> > Until we filtered them my argus collector was dropping vast amounts of
> > packets as reported
> > by tcpdump and friends
> >
>
> Yep, we are. We had to change our argus.conf filter to not include
> icmp.
>
> Is  there a way to filter out something like the following in the
> argus.conf (this is what I'm using to detect the infected hosts
> using tcpdump)
>
> 'icmp[icmptype]==icmp-echo && icmp[8:4]==0xAAAAAAAA &&
> icmp[12:4]==0xAAAAAAAA'
>

You need to filter them on your routers (or firewall) - they are icmp type
echo and size 92 but the precise incantation depends on your routers.

At the very least filter icmp echo requests until you can track them down
(and the storm inbound is probably as damaging.

Alternatively you may be able to rate limit them if you have a desperate
need to continue to permit pings

best of luck

regards
Neil




More information about the argus mailing list