Nachi worm icmp echo request

nataraj_v · ‎06-07-2005

Dear all ,

we are getting lot of alerts on Nachi worm icmp echo request . source ip address es are outside valid ip address. and destination ip address is our proxy server.

is this means any threat.. r false positive . our proxy server running on win 2000.

Thanks in advance

Nataraj

gabelar · ‎06-08-2005

Nataraj - the Nachi sig is looking for a payload of 0xaa in an ICMP packet. PersonallI wouldn't treat it as a false positive. Most ICMP packets don't have that payload unless it's nachi. Also it's suspicous to me that it destined for your proxy which is the address that internet users will see as a source on outbound web traffic. I would simply block ICMP messages on your perimiter, you shouldn't need ICMP traffic sourced from the outside to get to your proxy server. I would also consider getting a IPS device that can drop this type of traffic such as a IPS 5.0 appliance or an ASA box with an SSM card. In addition CSA on your proxy server would be an excellent idea.

nataraj_v · ‎06-08-2005

Dear Gabelar,

Thanks for the information. Iam getting alert from NIDS. shall i block icmp it in Pix firewall ? can u pls guide me .

access-list outside deny tcp any host 172.16.44.12 eq icmp-echo

access-list outside deny tcp any host 172.16.44.12 eq icmp-echo-reply

will it do ?

Thanks

Nataraj

gabelar · ‎06-09-2005

Yes in general this should work except - I don't think this is a "tcp rule" I think the same syntax but replace TCP with IP. IE -

access-list outside deny ip any host 172.16.44.12 eq icmp-echo

access-list outside deny ip any host 172.16.44.12 eq icmp-echo-reply