Re: ICMP on Abilene - Welchia/Nachi

[Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>]

I would like to send a heart-felt thanks to Doug et al. for this message.
I found the ACL "fixes" for these worms on Cisco's site, but one of my
border routers was running at 100% CPU (IP Input) UNTIL I used the info
contained in the link below.  THANK YOU.  Using policy based routing
dropped my CPU load from 100% to ~45%.  I still have some work to do, but
students are happily file-sharing and my phone isn't ringing off the wall.

I can't stress enough that policy routing these 92 byte packets into the
bit-bucket is a good idea.

PeteC

*************************************************************************
Peter Charbonneau                       Williams College
Sr. Network and Systems Administrator   Office for Information Technology
Jesup Hall Room 112                     22 Lab Campus Drive
(413) 597-3408 (Phone)                  Williamstown, MA 01267
(413) 597-4103 (Fax)                    Peter.Charbonneau () williams edu
*************************************************************************

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of REN-ISAC
Sent: Wednesday, August 27, 2003 6:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ICMP on Abilene - Welchia/Nachi


ICMP traffic on Abilene remains EXTRAORDINARILY high. The aggregate of ICMP
inbound on Abilene from all external connections regularly peaks at ~450k
packets per second. The attached graph dramatically illustrates the rise in
ICMP echo requests since a week ago Monday - when Welchia/Nachi hit the
street. The increase most likely reflects growth of the Welchia/Nachi
infection.

A byproduct of the worm scanning is that local-network routers are sending
lots of ARP requests, many for unused IP addresses. High levels of the ARP
activity has caused stability problems for some local-network routers.

If you haven't already implemented ICMP filtering at your borders, you might
want to consider temporary filters until the infection is brought under
control. Filters can be made specific to the 92-byte signature of
Welchia/Nachi, rather than blocking all ICMP. Cisco has a good notice
describing Nachi worm mitigation[1].

Also, if you haven't already implemented port 135 filters, you might
consider that too. Blaster and Welchia/Nachi propagation can be mitigated by
port 135 filters at network borders. Recommendations for filtering are
included in the CERT W32/Blaster advisory[2]. Filters should be defined as
input and output - to protect yourselves and to protect from infecting
others.

Regards,

Doug Pearson
REN-ISAC Director
Indiana University
ren-isac () iu edu

[1] Cisco Security Notice: Nachi Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

[2] CERT Advisory CA-2003-20 W32/Blaster worm
http://www.cert.org/advisories/CA-2003-20.html


-o0o-

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.