[c-nsp] Is Nachi Worm Mitigation Measure Still Necessary in Campus?

schilling schilling2006 at gmail.com
Wed May 27 10:31:19 EDT 2009

Hi All,

We have PBR which drops 92 bytes icmp echo/echo-reply applied on our
enterprise backbone(Catalyst 6500/Sup7203BXL)  links and all customer
access VLANs. There are several issues, icmp echo/echo-reply are
punted to cpu, it breaks windows tracert/ping, and it's harder to
implement the Control Plane Policing(CoPP) regarding the icmp
messages.   Is is still necessary to keep the PBR in place nowadays?

Cisco Security Notice:�Nachi Worm Mitigation Recommendations

Policy Based Routing for Cisco IOS Software

The Nachi worm detects the availability of a node by sending ICMP type
8 (echo request) packets before trying to exploit the RPC
vulnerability. The size of the ICMP packet is 92 bytes including the
IP header.

This Policy Based Routing (PBR) configuration can be used to match and
drop the ICMP type 8 and type 0 packets that are 92 bytes long. The
ICMP type 8 packets generated by the ping utility on other operating
systems, such as Cisco IOS Software, Windows 2000, Linux, and Solaris,
have different packet sizes than 92 bytes. This configuration should
not filter the packets that are generated by the ping utility on those
operating systems.

caution Caution:�Once applied, this configuration may cause all
packets to be process switched on hardware switching platforms, such
as the Catalyst 6500 series and Cisco 12000 GSR, or PBR may not be
supported on these platforms. This may significantly impact the
performance of those devices and it is therefore not recommended to
use this method on hardware switching platforms.

caution Caution:�Enabling PBR may effect the performance of your
throughput. It is recommended to enable CEF for improved performance.
If CEF is not enabled on the router, it is recommended to have the ip
route-cache policy command on the interface. This increases the
performance of PBR.

warning Warning:�Microsoft Windows tracert utility uses 92-byte sized
ICMP packets. Using PBR to filter those packets causes the tracert
utility not to work.



More information about the cisco-nsp mailing list