[nsp] Nachi WORM & ICMP floods of ICMP packets ..

Matt Ploessel matt.ploessel at foundstone.com
Thu Sep 4 11:55:09 EDT 2003 

Brian,

>From what I have seen, networks blocked ICMP with standard ACL's during
the major outbreak, then used snort's portscan detection feature and the
specific ICMP Ping CyberKit 2.2 signiture (nachi ping is the same) to
identify compromised hosts. After the amount of compromised hosts / worm
traffic decreases to a level which won't impact the network
infrastructure the major icmp acl's are removed one by one while
watching for IDS alerts. After the boom, compromised traffic with a
local source is identified and the noc is alerted on a case by case
basis. Active network protection has been based on filtering unwanted
traffic at network borders with the policy route map which have issues.
A more creativly method to deal with icmp traffic filtering is with a
icmp filtering proxy or some sort. 

I saw one network using a blanket policy route map to send all icmp
traffic over a gre tunnel to a separate router that performs the
filtering of the unwanted icmp traffic and then sends the approved icmp
packet back over the gre tunnel to the border router. End users may
notice a weird traceroute hop if you don't filter, but it does the job
fine and ogments the cisco dcef bug with 96 byte icmp route-maps while
filtering only unwanted icmp vs all.

The side benefit of using a separate router to do the icmp filter of
course is, if the router dies for whatever reason it only affects icmp
traffic instead of all your border transit and routing sessions etc.
(for those who flapped your routing sessions several times due to
troubleshooting icmp route-map problems at your borders please raise
your hand, or check the bgp table archives :P )

...

Matt Ploessel
Network Security Engineer
Foundstone, Inc.
Strategic Security

949.297.5622 Tel 
949.297.5575 Fax 
[-8 GMT]

http://www.foundstone.com
PGP: https://www.foundstone.com/pgpkeys/matt_ploessel.asc
PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914


> -----Original Message-----
> From: Brian R. Watters [mailto:brwatters at abs-internet.com] 
> Sent: Wednesday, September 03, 2003 4:41 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Nachi WORM & ICMP floods of ICMP packets ..
> Importance: High
> 
> 
> Hello All,
> 
> What is everyone out there doing for the affects of the Nachi 
> WORM?? .. We
> have many many clients that are infected as well as of course 
> getting HIT
> from the world with these floods of ICMP pings .. Attempting 
> to drop these
> packets via a policy route map kills the CPU on the router 
> (7206VXF NPE-300
> with full Memory) and of course using a ACL to drip ICMP 
> kills our ability
> to PING as well as our many clients who have IT staff OFFNET 
> to look into
> there networks via PING .. It also kills our internal monitors of our
> clients .. Anyone have any ideas? .. We can't be the only 
> folks getting this
> .. 
> 
> 
> Brian
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list