Welchia/Nachi and ICMP on Abilene

[REN-ISAC <dodpears () INDIANA EDU>]

ICMP traffic on Abilene is steadily and dramatically increasing. The aggregate of ICMP inbound on Abilene from all 
external connections is reaching 500K packets per second. The attached graph shows the rise in ICMP echo requests since 
Monday - when Welchia/Nachi hit the street. The increase most likely reflects growth of the Welchia/Nachi infection.

If you haven't already implemented ICMP filtering at your borders, you might want to consider temporary filters until 
the infection is brought under control. Filters can be made specific to the 92-byte signature of Welchia/Nachi, rather 
than blocking all ICMP. Cisco has a good notice describing Nachi worm mitigation[1].

Also, if you haven't already implemented port 135 filters, you might consider that too. Blaster and Welchia/Nachi 
propagation can be mitigated by port 135 filters at network borders. Recommendations for filtering are included in the 
CERT W32/Blaster advisory[2]. Filters should be defined as input and output - to protect yourselves and to protect from 
infecting others.

Regards,

Doug Pearson
REN-ISAC Director
Indiana University
ren-isac () iu edu

[1] Cisco Security Notice: Nachi Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

[2] CERT Advisory CA-2003-20 W32/Blaster worm
http://www.cert.org/advisories/CA-2003-20.html


-o0o-

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: abilene_aggregate_icmp_030822_0200.pdf
Description: