Geek Style

I am not a linux guru, but if you are using linux as your network border router, you can block Nachi worm using netfilter (explained here).
But if you are running FreeBSD as your gateway, you should have IPFW2 (instead of standard ipfw in 4.x branch) in order to be able to filter 92 bytes ICMP packets.

pilot:~# ipfw add 50 deny icmp from any to any iplen 92
00050 deny icmp from any to any iplen 92

and then check if it works fine:

pilot:~# ipfw show
00050     10      920 deny icmp from any to any iplen 92
00100 300093 64940563 allow ip from any to any
65535      0        0 deny ip from any to any

So we caught 10 packets (920 bytes in total) after a short while.

iplen is only supported in IPFW2 which is enable by default in FreeBSD 5.x but you should enable it manually if you are using 4.x series.

ipfw man page explains more detailed information about new enhancements in ipfw2 and how to enable it in 4.x kernel:

ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before a buildworld).

OpenBSD gurus may provide a solution to do the same using pf.

Worms are hot topic of day. Blaster and Nachi are making trouble for ISPs as well as end users worldwide.
There are diffrent ways to combat these worms. If you are a network administrator utilizing Cisco gear in your network, you can reduce the effect of these worms using some simple tricks. I have already posted an article on blocking Blaster worm in a cisco router.
But blocking Nachi is a little bit tricky since it uses ICMP echo/reply to map your network and propagate its code. This will cause a heavy ICMP storm in your netowork (that you may have already noticed). The most simple way is blocking all ICMP traffic which is not a good solution and harms your customers (They won’t be able to do PING measurement in this case).

Here is what I did to protect against Nachi (in a Cisco router):

Setup your NULL0 interface like this:

!
interface Null0
no ip unreachables
!

Then make an access-list that matches ICMP echo/reply packets:

!
ip access-list extended nachi-list
permit icmp any any echo
permit icmp any any echo-reply
!

Now the trick:

!
route-map nachi permit 10
match ip address nachi-list
match length 92 92
set interface Null0
!

Fortunately, Nachi uses fixed size ICMP packets (92 bytes, including IP header) as reachability probe. Above route-map will forward all ICMP packets with size of 92 bytes to Null0 interface. Null0 will not return any unreachable code and just drops the packet.

You should put this route-map on your network interface, like this (necessary parts listed only):

!
interface FastEthernet0/0
description Connected to Local Network
ip route-cache policy
ip policy route-map nachi
!

That “ip route-cache policy” is very important because it asks the router to cache all policy-route information in order to reduce processor load. (CEF won’t be useful here).

This is the result after 5 minutes:

router#sh route-map nachi
route-map nachi, permit, sequence 10
Match clauses:
ip address (access-lists): nachi-list
length 92 92
Set clauses:
interface Null0
Policy routing matches: 190909 packets, 20236354 bytes

Congratulations! Your network is saved.

While Blaster worm is discovering vulnerable windows machines as fast as possible, I did what I had to do very long time ago, and it was blocking NetBios in our network border:

edge#show access-list forbid
Extended IP access list forbid
deny tcp any any range 135 139 (8588631 matches)
deny udp any any range 135 netbios-ss (425993 matches)
deny tcp any any eq 4444 (45 matches)
deny udp any any eq tftp (4 matches)
permit ip any any (24505712 matches)

Oops! too many netbios requests for just two hours! And this is how we blocked all Blaster’s junk traffic in our network. A filter like the one shown above has been applied to borders, and done. In one case it just dropped more than 6mbps on a link. It’s horrible.

Enable internet connection firewall if you are using XP, and get this tool to check your system health and remove the worm if your workstation is infected. And then update your windows with all security patches available on Microsoft Window Update website.

Definite solution: Get FreeBSD and set your computer free! (Geeks Only)

Resolution: We don’t need NetBios, We don’t like Microsoft.