Blocking Nachi/Welchia
Worm ICMP Scans
The recent W32/Nachi and W32/Welchia worms perform
ICMP scanning in an attempt to identify systems for exploitation. Depending the
the number of host infected on the network the ICMP scanning can result in unwanted
increase of traffic. These scans could generate enough traffic to create
delay on the upstream link(s) and disrupts users. Infected machines scanning your
network(s) may increase the amount of ARP traffic generated on the local LAN.
More information about these worms and there effects can be fount at Cert's
website. Blocking the ICMP Scans The ICMP scan
is a 92 byte ICMP echo-request. It can be blocked using the following iptables
firewall rule: |