ICMP Echo/HTTP Pattern, HP Mystery Patch Explained, DNS Reflector Attack(?)

Published: 2004-01-20. Last Updated: 2004-01-21 01:38:34 UTC
by Tom Liston (Version: 1)
0 comment(s)
Combined ICMP Echo Request and TCP Port 80 Traffic

We have received reports of an odd traffic pattern: a single ICMP echo request followed immediately by an HTTP request for the default website page. This pattern is repeated at a daily rate of approximately 1200 times per day, each sourced from a different IP.



We're "fishing" (rather than "phishing") for information on this. If anyone out there is experiencing the same phenomenon, please drop us a note:



http://isc.sans.org/contact.html



HP Patch Mystery Explained

In the January 16th Diary ( http://isc.sans.org/diary.html?date=2004-01-16 ), we mentioned that HP had made a "mystery" patch available for SSH on Tru64 Unix. This article explains its purpose:



http://news.zdnet.co.uk/software/linuxunix/0,39020390,39119149,00.htm



The patch fixes flaws in both SSH and VPN on Tru64 Unix. The flaws are believed to be present only in the Tru64 versions of these services.



Looking For Signs of Large Scale DNS Reflector Attack

We have received reports of DNS servers suddenly attempting to repeatedly and rapidly resolve a single hostname.



Again, we're on a "fishing" expedition here, folks. Please take a look for this behavior on your networks and report anything you find to us.



http://isc.sans.org/contact.html



-------------------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)

Comments


Diary Archives