Educause Security Discussion mailing list archives
Welchia/Nachi and ICMP on Abilene
From: REN-ISAC <dodpears () INDIANA EDU>
Date: Thu, 21 Aug 2003 21:29:23 -0500
ICMP traffic on Abilene is steadily and dramatically increasing. The aggregate of ICMP inbound on Abilene from all external connections is reaching 500K packets per second. The attached graph shows the rise in ICMP echo requests since Monday - when Welchia/Nachi hit the street. The increase most likely reflects growth of the Welchia/Nachi infection. If you haven't already implemented ICMP filtering at your borders, you might want to consider temporary filters until the infection is brought under control. Filters can be made specific to the 92-byte signature of Welchia/Nachi, rather than blocking all ICMP. Cisco has a good notice describing Nachi worm mitigation[1]. Also, if you haven't already implemented port 135 filters, you might consider that too. Blaster and Welchia/Nachi propagation can be mitigated by port 135 filters at network borders. Recommendations for filtering are included in the CERT W32/Blaster advisory[2]. Filters should be defined as input and output - to protect yourselves and to protect from infecting others. Regards, Doug Pearson REN-ISAC Director Indiana University ren-isac () iu edu [1] Cisco Security Notice: Nachi Worm Mitigation Recommendations http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml [2] CERT Advisory CA-2003-20 W32/Blaster worm http://www.cert.org/advisories/CA-2003-20.html -o0o- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
abilene_aggregate_icmp_030822_0200.pdf
Description:
Current thread:
- Welchia/Nachi and ICMP on Abilene REN-ISAC (Aug 21)