Nachi and NetFlow

Scott Genung sagenung at
Wed Oct 29 15:36:32 GMT 2003


For those of you who are using Cisco switches with NetFlow accounting, I'm 
wondering if anyone else has tripped over a problem that I have. Last 
month, we applied a route map at the gateway for each vLAN to discard ICMP 
echo and reply messages with a fixed length of 92 bytes (one of the 
signatures for a Nachi infected host). This was part of our continuing 
efforts to minimize the impact of Nachi as units on campus continue to 
clean infected hosts. This model also breaks traceroute sourced from a 
Windows OS but that's another story! Anyway, we have used NetFlow to 
identify hosts that are spewing these packets so that the SAs can clean and 
patch them. Below is a small sample of what we are seeing:

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Vl104      Null   01 0000 0800     1
Vl104      Null   01 0000 0800     1
Vl104      Null   01 0000 0800     1
Vl104      Null   01 0000 0800     1
Vl104      Null   01 0000 0800     1
Vl104      Null   01 0000 0800     1
Vl104      Null   01 0000 0800     1

If the DstIf column is set to Null, the route map has matched the packet 
sourced from the host (SrcIPaddress) and thrown it in the bit bucket. We 
literally see hundreds or thousands of these 1 packet flows from a single 
host in a 15 second interval. We're convinced that the host is infected 
with Nachi based upon this data and the fact the user is not complaining 
about any application problems on their desktop. However after reporting 
this information to the techs responsible for this and other hosts, some 
(not all) are coming back and telling me that they cannot find a worm on 
the host we have ID'd. They tell me that the latest version of Stinger 
(NAI) does not detect a virus. Has anyone else out there tripped over a 
flavor of Nachi that is not detectable from the desktop?

Scott Genung
Manager of Networking Systems
Telecommunications and Network Support Services
124 Julian Hall
Illinois State University


More information about the unisog mailing list