Educause Security Discussion mailing list archives
Urgent: Welchi/Nachi worm and ICMP
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Tue, 19 Aug 2003 17:22:45 -0500
Reports have come in that blocking all ICMP breaks Microsoft ADS. Anyone contemplating applying ICMP filters should take that into consideration. Blocking ICMP requests with a packet size of 92 bytes effectively blocks the Welchia/Nacho, and lets ADS live. Doug Pearson
Several universities have reported that the Welchia, aka Nachi[1], worm is generating very significant ICMP echo request traffic on internal and external networks. Reports of serious network degradation due to the levels of ICMP traffic have been received. Some universities report taking temporary measures to block all internal, outbound, and inbound ICMP. [1] http://isc.sans.org/diary.html?date=2003-08-18 Doug Pearson REN-ISAC, Acting Director Indiana University ren-isac () iu edu
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 19)
- <Possible follow-ups>
- Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Scott Weeks (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Theresa M Rowe (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 20)