Nachi and NetFlow

Scott Genung sagenung at ilstu.edu
Wed Oct 29 15:36:32 GMT 2003


All,

For those of you who are using Cisco switches with NetFlow accounting, I'm 
wondering if anyone else has tripped over a problem that I have. Last 
month, we applied a route map at the gateway for each vLAN to discard ICMP 
echo and reply messages with a fixed length of 92 bytes (one of the 
signatures for a Nachi infected host). This was part of our continuing 
efforts to minimize the impact of Nachi as units on campus continue to 
clean infected hosts. This model also breaks traceroute sourced from a 
Windows OS but that's another story! Anyway, we have used NetFlow to 
identify hosts that are spewing these packets so that the SAs can clean and 
patch them. Below is a small sample of what we are seeing:

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Vl104         10.20.1.89      Null          10.17.253.228   01 0000 0800     1
Vl104         10.20.1.89      Null          10.17.253.229   01 0000 0800     1
Vl104         10.20.1.89      Null          10.17.253.230   01 0000 0800     1
Vl104         10.20.1.89      Null          10.17.253.223   01 0000 0800     1
Vl104         10.20.1.89      Null          10.17.253.224   01 0000 0800     1
Vl104         10.20.1.89      Null          10.17.253.225   01 0000 0800     1
Vl104         10.20.1.89      Null          10.17.253.226   01 0000 0800     1

If the DstIf column is set to Null, the route map has matched the packet 
sourced from the host (SrcIPaddress) and thrown it in the bit bucket. We 
literally see hundreds or thousands of these 1 packet flows from a single 
host in a 15 second interval. We're convinced that the host is infected 
with Nachi based upon this data and the fact the user is not complaining 
about any application problems on their desktop. However after reporting 
this information to the techs responsible for this and other hosts, some 
(not all) are coming back and telling me that they cannot find a worm on 
the host we have ID'd. They tell me that the latest version of Stinger 
(NAI) does not detect a virus. Has anyone else out there tripped over a 
flavor of Nachi that is not detectable from the desktop?


Scott Genung
Manager of Networking Systems
Telecommunications and Network Support Services
124 Julian Hall
Illinois State University

(309)438-8731   http://www.tnss.ilstu.edu 



More information about the unisog mailing list