Educause Security Discussion mailing list archives
Policy Based Routing in IOS (was Re: Welchia/Nachi and ICMP on Abilene)
From: Brian Reilly <reillyb () GEORGETOWN EDU>
Date: Fri, 22 Aug 2003 15:54:12 -0400
If you've implemented the IOS Policy Based Routing recommendations in the Cisco notice to filter 92-byte ICMP echo request packets at your site, I'd appreciate it if you would drop me a note offline. --Brian ______________________________________________ Brian Reilly, CISSP University Network Security Officer Georgetown University, UIS <reillyb () georgetown edu> +1 202.687.2775 On Thu, 21 Aug 2003, REN-ISAC wrote:
ICMP traffic on Abilene is steadily and dramatically increasing. The aggregate of ICMP inbound on Abilene from all external connections is reaching 500K packets per second. The attached graph shows the rise in ICMP echo requests since Monday - when Welchia/Nachi hit the street. The increase most likely reflects growth of the Welchia/Nachi infection. If you haven't already implemented ICMP filtering at your borders, you might want to consider temporary filters until the infection is brought under control. Filters can be made specific to the 92-byte signature of Welchia/Nachi, rather than blocking all ICMP. Cisco has a good notice describing Nachi worm mitigation[1]. Also, if you haven't already implemented port 135 filters, you might consider that too. Blaster and Welchia/Nachi propagation can be mitigated by port 135 filters at network borders. Recommendations for filtering are included in the CERT W32/Blaster advisory[2]. Filters should be defined as input and output - to protect yourselves and to protect from infecting others. Regards, Doug Pearson REN-ISAC Director Indiana University ren-isac () iu edu [1] Cisco Security Notice: Nachi Worm Mitigation Recommendations http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml [2] CERT Advisory CA-2003-20 W32/Blaster worm http://www.cert.org/advisories/CA-2003-20.html -o0o- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Policy Based Routing in IOS (was Re: Welchia/Nachi and ICMP on Abilene) Brian Reilly (Aug 22)