ICMP on Abilene - Welchia/Nachi

[REN-ISAC <dodpears () INDIANA EDU>]

ICMP traffic on Abilene remains EXTRAORDINARILY high. The aggregate of ICMP inbound on Abilene from all external 
connections regularly peaks at ~450k packets per second. The attached graph dramatically illustrates the rise in ICMP 
echo requests since a week ago Monday - when Welchia/Nachi hit the street. The increase most likely reflects growth of 
the Welchia/Nachi infection.

A byproduct of the worm scanning is that local-network routers are sending lots of ARP requests, many for unused IP 
addresses. High levels of the ARP activity has caused stability problems for some local-network routers.

If you haven't already implemented ICMP filtering at your borders, you might want to consider temporary filters until 
the infection is brought under control. Filters can be made specific to the 92-byte signature of Welchia/Nachi, rather 
than blocking all ICMP. Cisco has a good notice describing Nachi worm mitigation[1].

Also, if you haven't already implemented port 135 filters, you might consider that too. Blaster and Welchia/Nachi 
propagation can be mitigated by port 135 filters at network borders. Recommendations for filtering are included in the 
CERT W32/Blaster advisory[2]. Filters should be defined as input and output - to protect yourselves and to protect from 
infecting others.

Regards,

Doug Pearson
REN-ISAC Director
Indiana University
ren-isac () iu edu

[1] Cisco Security Notice: Nachi Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

[2] CERT Advisory CA-2003-20 W32/Blaster worm
http://www.cert.org/advisories/CA-2003-20.html


-o0o-

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: abilene_aggregate_icmp-echo-request_030827_2200.pdf
Description: