Blocking Nachi/Welchia Worm ICMP Scans

The recent W32/Nachi and W32/Welchia worms perform ICMP scanning in an attempt to identify systems for exploitation. Depending the the number of host infected on the network the ICMP scanning can result in unwanted increase of traffic. These scans could generate enough traffic to create delay on the upstream link(s) and disrupts users. Infected machines scanning your network(s) may increase the amount of ICMP and ARP traffic generated on the local LAN, creating a Denial of Service (DoS) condition.

More information about these worms and their effects can be fount at Cert's website. These rules are sensible for most networks. The configurations listed in this example may not match the ones suitable for use on your network. Any device names, IP addresses or ICMP limit settings are provided as examples only. You will need to change the commands in the example below to match the settings suitable for your network.

Blocking ICMP Scans

The ICMP scan is a 92 byte ICMP echo-request. It can be blocked using the following iptables firewall rule:
# Drop all MSBlaster-type worms with ICMP scans of 92 bytes
iptables -A FORWARD -p icmp -m length --length 92 -j DROP

Limiting ICMP messages

It is also possible to limit the number and type of ICMP messages and packets passing through your network. Many types of ICMP traffic should never be accepted from most Internet sources. The rules below limit ICMP messages and set limits on the number of ICMP echo requests on a network. The device names used below are provided as examples only. You will need to change the device names to match those used with your network.
# Allow all "normal" ICMP traffic through the router
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT

# Limit inbound echo-request to 10 per second, with a burst limit of 10, from Internet gateway device
iptables -A FORWARD -i Serial0 -m limit --limit 10/s --limit-burst 10 -p icmp --icmp-type echo-request -j ACCEPT

# Limit outbound echo-requests to 5 per second, with a burst limit of 30, to the Internet gateway device
iptables -A FORWARD -o Serial0 -m limit --limit 5/s --limit-burst 30 -p icmp --icmp-type echo-request -j ACCEPT

#Drop any icmp traffic over the limits specified above
iptables -A FORWARD -p icmp -j DROP

Blocking Common Worm Ports and Backdoors

Many common worms, such as W32.Novarg.A@mm, MSBlaster and other similar variants use common port numbers which can easily be blocked. Blocking the ports below may not be appropriate for all networks. The device names used below are provided as examples only. You will need to change the device names to match those used with your network. The device names used below are provided as examples only. You will need to change the device names to match those used with your network.
# Block common worm traffic coming in via External interfaces
iptables -A FORWARD -j DROP -i Serial0 -p tcp --dport 135:139
iptables -A FORWARD -j DROP -i Serial0 -p udp --dport 135:139
iptables -A FORWARD -j DROP -i Serial0 -p tcp --dport 444
iptables -A FORWARD -j DROP -i Serial0 -p udp --dport 444
iptables -A FORWARD -j DROP -i Serial0 -p udp --dport 995:999
iptables -A FORWARD -j REJECT -o Serial0 -p udp --dport 8998

# Block access to backdoor on system infected by W32.Novarg.A@mm Worm
iptables -A FORWARD -p tcp --dport 3127:3149 -j REJECT 
Technical Support
Home >
Technical Notes >
Blocking Common Worms

Software Versions

General Availability
(GA) Releases


Envoy: 4.4.1-30
Others: 4.4.1-30
IDCA:

ICNA Certification


Get Your
ImageStream
Certification