Educause Security Discussion mailing list archives
Re: ICMP on Abilene - Welchia/Nachi
From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Wed, 27 Aug 2003 21:42:45 -0400
I would like to send a heart-felt thanks to Doug et al. for this message. I found the ACL "fixes" for these worms on Cisco's site, but one of my border routers was running at 100% CPU (IP Input) UNTIL I used the info contained in the link below. THANK YOU. Using policy based routing dropped my CPU load from 100% to ~45%. I still have some work to do, but students are happily file-sharing and my phone isn't ringing off the wall. I can't stress enough that policy routing these 92 byte packets into the bit-bucket is a good idea. PeteC ************************************************************************* Peter Charbonneau Williams College Sr. Network and Systems Administrator Office for Information Technology Jesup Hall Room 112 22 Lab Campus Drive (413) 597-3408 (Phone) Williamstown, MA 01267 (413) 597-4103 (Fax) Peter.Charbonneau () williams edu ************************************************************************* -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of REN-ISAC Sent: Wednesday, August 27, 2003 6:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ICMP on Abilene - Welchia/Nachi ICMP traffic on Abilene remains EXTRAORDINARILY high. The aggregate of ICMP inbound on Abilene from all external connections regularly peaks at ~450k packets per second. The attached graph dramatically illustrates the rise in ICMP echo requests since a week ago Monday - when Welchia/Nachi hit the street. The increase most likely reflects growth of the Welchia/Nachi infection. A byproduct of the worm scanning is that local-network routers are sending lots of ARP requests, many for unused IP addresses. High levels of the ARP activity has caused stability problems for some local-network routers. If you haven't already implemented ICMP filtering at your borders, you might want to consider temporary filters until the infection is brought under control. Filters can be made specific to the 92-byte signature of Welchia/Nachi, rather than blocking all ICMP. Cisco has a good notice describing Nachi worm mitigation[1]. Also, if you haven't already implemented port 135 filters, you might consider that too. Blaster and Welchia/Nachi propagation can be mitigated by port 135 filters at network borders. Recommendations for filtering are included in the CERT W32/Blaster advisory[2]. Filters should be defined as input and output - to protect yourselves and to protect from infecting others. Regards, Doug Pearson REN-ISAC Director Indiana University ren-isac () iu edu [1] Cisco Security Notice: Nachi Worm Mitigation Recommendations http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml [2] CERT Advisory CA-2003-20 W32/Blaster worm http://www.cert.org/advisories/CA-2003-20.html -o0o- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- ICMP on Abilene - Welchia/Nachi REN-ISAC (Aug 27)
- <Possible follow-ups>
- Re: ICMP on Abilene - Welchia/Nachi Peter Charbonneau (Aug 27)