Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Policy Based Routing in IOS (was Re: Welchia/Nachi and ICMP on Abilene)

From: Brian Reilly <reillyb () GEORGETOWN EDU>
Date: Fri, 22 Aug 2003 15:54:12 -0400
If you've implemented the IOS Policy Based Routing recommendations in the
Cisco notice to filter 92-byte ICMP echo request packets at your site, I'd
appreciate it if you would drop me a note offline.

--Brian

______________________________________________
Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb () georgetown edu>
+1 202.687.2775


On Thu, 21 Aug 2003, REN-ISAC wrote:


ICMP traffic on Abilene is steadily and dramatically increasing. The
aggregate of ICMP inbound on Abilene from all external connections is
reaching 500K packets per second. The attached graph shows the rise in
ICMP echo requests since Monday - when Welchia/Nachi hit the street.
The increase most likely reflects growth of the Welchia/Nachi
infection.

If you haven't already implemented ICMP filtering at your borders, you
might want to consider temporary filters until the infection is
brought under control. Filters can be made specific to the 92-byte
signature of Welchia/Nachi, rather than blocking all ICMP. Cisco has a
good notice describing Nachi worm mitigation[1].

Also, if you haven't already implemented port 135 filters, you might
consider that too. Blaster and Welchia/Nachi propagation can be
mitigated by port 135 filters at network borders. Recommendations for
filtering are included in the CERT W32/Blaster advisory[2]. Filters
should be defined as input and output - to protect yourselves and to
protect from infecting others.

Regards,

Doug Pearson
REN-ISAC Director
Indiana University
ren-isac () iu edu

[1] Cisco Security Notice: Nachi Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

[2] CERT Advisory CA-2003-20 W32/Blaster worm
http://www.cert.org/advisories/CA-2003-20.html


-o0o-

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: