Geek Style
Worms are hot topic of day. Blaster and Nachi are making trouble for ISPs as well as end users worldwide.
There are diffrent ways to combat these worms. If you are a network administrator utilizing Cisco gear in your network, you can reduce the effect of these worms using some simple tricks. I have already posted an article on blocking Blaster worm in a cisco router.
But blocking Nachi is a little bit tricky since it uses ICMP echo/reply to map your network and propagate its code. This will cause a heavy ICMP storm in your netowork (that you may have already noticed). The most simple way is blocking all ICMP traffic which is not a good solution and harms your customers (They won’t be able to do PING measurement in this case).
Here is what I did to protect against Nachi (in a Cisco router):
Setup your NULL0 interface like this:
! interface Null0 no ip unreachables !
Then make an access-list that matches ICMP echo/reply packets:
! ip access-list extended nachi-list permit icmp any any echo permit icmp any any echo-reply !
Now the trick:
! route-map nachi permit 10 match ip address nachi-list match length 92 92 set interface Null0 !
Fortunately, Nachi uses fixed size ICMP packets (92 bytes, including IP header) as reachability probe. Above route-map will forward all ICMP packets with size of 92 bytes to Null0 interface. Null0 will not return any unreachable code and just drops the packet.
You should put this route-map on your network interface, like this (necessary parts listed only):
! interface FastEthernet0/0 description Connected to Local Network ip route-cache policy ip policy route-map nachi !
That “ip route-cache policy” is very important because it asks the router to cache all policy-route information in order to reduce processor load. (CEF won’t be useful here).
This is the result after 5 minutes:
router#sh route-map nachi route-map nachi, permit, sequence 10 Match clauses: ip address (access-lists): nachi-list length 92 92 Set clauses: interface Null0 Policy routing matches: 190909 packets, 20236354 bytes
Congratulations! Your network is saved.
If you enjoyed this article, please consider sharing it!
3 Responses to Say goodbye to Nachi
My Book
Network Administration with FreeBSD 7 is a book for intermediate and advanced system and network administrators who wants to get more familiar with internals and extract the full potential of FreeBSD 7 operating system.
Better said directly from cisco:
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
and the blaster ACLS as well
http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml
Actually enabling CEF is ideal, and ip route-cache policy will simply enable fast switching for policy-routing rather than using CEF. ip route-cache policy (fast switching), however, is still better than process switching the packet. Essentially, with CEF enabled, policy-routing information will be cached by CEF (optimal).
As per cisco documentation:
Enable CEF-Switched PBR
Beginning in Cisco IOS Release 12.0, PBR is supported in the Cisco Express Forwarding (CEF) switching path. CEF-switched PBR has better performance than fast-switched PBR and, therefore, is the optimal way to perform PBR on a router.
No special configuration is required to enable CEF-switched PBR. It is on by default as soon as you enable CEF and PBR on the router.
——————————————————————————–
Note The ip route-cache policy command is strictly for fast-switched PBR and, therefore, not required for CEF-switched PBR.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart1/qcpolicy.htm
Rich
Dear Babak
here is my sh route-map nachi out put :
route-map nachi, permit, sequence 10
Match clauses:
ip address (access-lists): nachi-list
length 92 92
Set clauses:
interface Null0
Policy routing matches: 74460 packets, 7892760 bytes
but I have more send icmp traffic , I restric all icmp packet for 10 minutes and see my send traffic returend to normal traffic .
I set following configuration on AS router ,
would you please advise me .
ip access-list extended nachi-list
permit icmp any any echo
permit icmp any any echo-reply
!
route-map nachi permit 10
match ip address nachi-list
match length 92 92
set interface Null0
set default interface null 0
!
interface fas 0
ip policy route-map nachi
!
ip local policy route-map nachi
Best Regard