The welchia worm has been giving my network hell, I've adopted a few firewall rules to help out, and wanted to share them since I'm sure it's affecting others also. I'm open to any suggestions or improvements.


# Welchia/Blaster -- These should help prevent the spread
# of the worm to/from/across my network

deny all from any to any 4444 out via any
deny all from any to any 135 out via any
deny all from any to any 69 out via any
deny all from any to any 139 out via any
deny all from any to any 445 out via any
deny all from any to any 4444 in via any
deny all from any to any 135 in via any
deny all from any to any 69 in via any
deny all from any to any 139 in via any
deny all from any to any 445 in via any


fwicmp = "-A FORWARD -p ICMP -s"
drop = "-j DROP"

# put one of these for each offending/infected computer until the
# customer can be notified, this will drop any ICMP packets coming
# from the specified IP address

iptables $fwicmp 192.168.24.144 $drop #infected computer
iptables $fwicmp 192.168.21.57 $drop #infected computer

I'm with ya! Sheesh, Welchia sent my network into a tailspin the other night. I had about 6 customers with it, and their ICMP traffic was totally blasting me away. One of my biggest problems was that I had IP accounting on a StarOS box that acts as the core router for my wireless network. All my wireless links feed back into this box, and it does the IP accounting for everything. With all the ICMP traffic being generated, the load average on this box went to around 3, and pings to it over a 100 Meg ethernet link were between 800 ms and 1 second. I couldn't manage the thing through SSH due to the delay, so I had to connect a monitor/keyboard. Even that was extremely sluggish. As soon as i turned of IP accounting, it started acting normally again.

It makes me wonder if it might be a good idea to have IP accounting ignore ICMP traffic so it doesn't worsen the DoS that is already being caused by stuff like this. I can't think of a "normal" situation where ICMP would amount to any appreciable bandwidth, so would you really need to account for it? Maybe a good solution would be to have the ability to switch off accounting for ICMP in the IP Accounting setup... Lonnie or Tony, what do you think?

Craig

How often are you collecting your IP accounting data?

You can't run IP accounting on a core router without frequently unloading the data. You can downtune the number of IP's it tracks, but you will loose your accounting data.

Whatever you do, don't turn on IP accounting without running a collector against it, otherwise it will eat all available memory.

How often are you collecting your IP accounting data?

Every 120 seconds. The problem didn't seem to be related to the memory filling up as you would see if you didn't collect the accounting data often enough. It seemed to be more related to StarOS having to add up zillions of icmp packets, and not being quite able to keep pace. At least that's my guess. The machine in question is a PII-350 with 64 megs RAM.

Craig

Maybe the DoS is preventing the collections machine from connecting and d/ling the accounting data, thus creating a pileup?

Where did you put these rules?


Code:

# Welchia/Blaster -- These should help prevent the spread
# of the worm to/from/across my network

deny all from any to any 4444 out via any
deny all from any to any 135 out via any
deny all from any to any 69 out via any
deny all from any to any 139 out via any
deny all from any to any 445 out via any
deny all from any to any 4444 in via any
deny all from any to any 135 in via any
deny all from any to any 69 in via any
deny all from any to any 139 in via any
deny all from any to any 445 in via any


fwicmp = "-A FORWARD -p ICMP -s"
drop = "-j DROP"

# put one of these for each offending/infected computer until the
# customer can be notified, this will drop any ICMP packets coming
# from the specified IP address

iptables $fwicmp 192.168.24.144 $drop #infected computer
iptables $fwicmp 192.168.21.57 $drop #infected computer

I am running on 1.11.12.

Will this version support these rules?

These rules can be pasted into your firewall script, under menu "advanced"-"scripts"-"advanced firewall and port forwarding"

Reed

A couple of things that also helped me out with the ICMP traffic on these was doing two things along every possible point (Ie: Where there's a firewall/Staros box) on my network:

First, I'd block all incoming pings that were not replies from customers on my network

Secondly, I'd block all outbound pings that were destined to 192.0.0.0/8 from within my wireless customers, as well as any of my public IP blocks. (Ie: 65.0.0.0/8, etc)

That pretty much halted I'd say at least 90%, if not more of the ICMP traffic coming from virus'd clients. It also stopped/slowed those kind of viruses from propegating into my network for customers that had public IPs.

That along with the rules mentioned in a previous post, we're doing alright against those virii.


Michael