Background: Know: Recognize:

One reason why ICMP may be capped or expedited is to limit the ability of worms to spread via ICMP.

==Worms spreading via ICMP==

As an instance, a famous malware named W32/Welchia.worm existed which could result in an increased ICMP traffic(1).

Worm infected host sends ICMP echo request in order to look for the possible victim hosts. The possible victim hosts IP addresses are generated randomly by worms. Sometimes the attacker sends a large number of ICMP echo requests to IP broadcast addresses. Therefore, ICMP traffic is used by worms to discover the possible victim hosts in the network.

The recent W32/Nachi and W32/Welchia worms are using ICMP to hit the network. The ICMP echo messages generated by them can increase the unexpected traffic, which introduces the unnecessary delay for users.

For example Welchia worm is making ICMP echo requests or is receiving replies.The Welchia worm checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.



fix this link also

fix this link