[nsp] Nachi WORM & ICMP floods of ICMP packets ..

Brian R. Watters brwatters at abs-internet.com
Thu Sep 4 07:57:25 EDT 2003


 
Ralph,

That would be a great idea but from what we are seeing we are getting about
250k drops for every 15 min and out of those about 200 subnets which are
constantly changing .. These of course inbound via our public interfaces ..
We also note that RPC tcp 135 is getting very little in the way of hits now
.. Where we see the major issues is in the ICMP packets Type 8 ping packets
.. 

Brian 

-----Original Message-----
From: Ralph Doncaster [mailto:ralph at istop.com] 
Sent: Wednesday, September 03, 2003 7:28 PM
To: Brian R. Watters
Cc: cisco-nsp at puck.nether.net

access-list 123 deny   tcp any any eq 135 log-input

Then we track down the customers that are infected and get them to clean up
their machine.

-Ralph

On Wed, 3 Sep 2003, Brian R. Watters wrote:

> Hello All,
>
> What is everyone out there doing for the affects of the Nachi WORM?? 
> .. We have many many clients that are infected as well as of course 
> getting HIT from the world with these floods of ICMP pings .. 
> Attempting to drop these packets via a policy route map kills the CPU 
> on the router (7206VXF NPE-300 with full Memory) and of course using a 
> ACL to drip ICMP kills our ability to PING as well as our many clients 
> who have IT staff OFFNET to look into there networks via PING .. It 
> also kills our internal monitors of our clients .. Anyone have any 
> ideas? .. We can't be the only folks getting this ..
>
>
> Brian
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
---
[Scanned for viruses & SPAM with safE-Mail by American Broadband Services]
---




More information about the cisco-nsp mailing list