Re: Cisco IOS Failure due to Virus

["Stephen J. Wilcox" <steve () telecomplete co uk>]

On Fri, 12 Sep 2003, Petri Helenius wrote:

> Stephen J. Wilcox wrote:
>
> > Hi,
> > we've seen this.. yuo need to make sure you filter the nachi worm 92 byte icmp
> > echo's on your interfaces and it will be fine. The problem seems to be input
> > buffers which use all the memory up for some reason.
> >  
> This sounds vaguely similar to the recent IOS buffers stuck issue.

No, its quite different

1:
On the vuln. the buffer filled up and could not be emptied without a reboot

On nachi the buffer doesnt seem to fill and an acl or shutting the interface 
will solve the problem whilst the router stays up

2:
On the vuln. the outcome was that the particular interface stopped forwarding 
traffic

On nachi the router runs out of main memory and starts dropping processes
because of malloc failure


FYI I have only encountered the nachi problem on a few PE routers which were old 
and had little memory anyway eg Cisco 2500.. presumably the buffer filling isnt 
a memory leak and providnig there is enough spare memory the router wont be 
affected in this way.

Steve