Educause Security Discussion mailing list archives

Re: Urgent: Welchi/Nachi worm and ICMP

From: Scott Weeks <sweeks () SANDIEGO EDU>
Date: Tue, 19 Aug 2003 15:42:07 -0700

Could you tell us where you got the "packet size of 92 bytes" information
from?

Thanks,
scott



On Tue, 19 Aug 2003, Doug Pearson wrote:

:  Reports have come in that blocking all ICMP breaks Microsoft ADS.
:  Anyone contemplating applying ICMP filters should take that into
:  consideration. Blocking ICMP requests with a packet size of 92 bytes
:  effectively blocks the Welchia/Nacho, and lets ADS live.
:
:  Doug Pearson
:
:
:  >Several universities have reported that the Welchia, aka Nachi[1], worm is
:  >generating very significant ICMP echo request traffic on internal and external
:  >networks. Reports of serious network degradation due to the levels of ICMP
:  >traffic have been received. Some universities report taking temporary measures
:  >to block all internal, outbound, and inbound ICMP.
:  >
:  >[1] http://isc.sans.org/diary.html?date=2003-08-18
:  >
:  >Doug Pearson
:  >REN-ISAC, Acting Director
:  >Indiana University
:  >ren-isac () iu edu
:
:  **********
:  Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
:

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 19)
- <Possible follow-ups>
- Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Scott Weeks (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Theresa M Rowe (Aug 19)
- Re: Urgent: Welchi/Nachi worm and ICMP Doug Pearson (Aug 20)