Educause Security Discussion mailing list archives

Urgent: Welchi/Nachi worm and ICMP

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Tue, 19 Aug 2003 17:22:45 -0500

Reports have come in that blocking all ICMP breaks Microsoft ADS. Anyone contemplating applying ICMP filters should 
take that into consideration. Blocking ICMP requests with a packet size of 92 bytes effectively blocks the 
Welchia/Nacho, and lets ADS live.

Doug Pearson

Several universities have reported that the Welchia, aka Nachi[1], worm is
generating very significant ICMP echo request traffic on internal and external
networks. Reports of serious network degradation due to the levels of ICMP
traffic have been received. Some universities report taking temporary measures
to block all internal, outbound, and inbound ICMP.

[1] http://isc.sans.org/diary.html?date=2003-08-18

Doug Pearson
REN-ISAC, Acting Director
Indiana University
ren-isac () iu edu


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 19)
- <Possible follow-ups>
- Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Scott Weeks (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Theresa M Rowe (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 20)