Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
240
Views
0
Helpful
3
Replies

Nachi ICMPs and PIX Performance

jason.scott
Level 1
Level 1

‎10-24-2003 04:40 AM - edited ‎02-20-2020 11:03 PM

Hi all,

Unfortunately we still have a few clients left over from the Nachi virus still broadcasting icmps to random addresses. When the outbreak first began we noticed a dramatic drop in internet performance which appeared to be caused by the PIX being overwhelmed with these ICMP requests but denying them because the networks did not exist.

To alliviate this I put in place access lists on our internal routers to filter icmps out of the subnet which our PIX resides on. This has worked, but caused a few problems with applications that require ICMPs to be enabled.

Is there any configuration that can be used on the PIX to increase performance and have it better deal with mass ICMP requests to unknown networks?

Regards,

0 Helpful
3 Replies 3

mostiguy
Level 6
Level 6

‎10-24-2003 07:12 AM

Are you sure the problem wasn't just that the volume of icmp echo and echo reply traffic was consuming all of the bandwidth, rather than just overloading the hardware of the pix? If you can throw up access-lists on routers, you can log the icmp traffic, and hunt down and patch machines.

0 Helpful

jason.scott
Level 1
Level 1
In response to mostiguy

‎10-24-2003 07:22 AM

Not positive but almost sure it wasn't down to bandwidth. We have some other boxes on this subnet that aren't affected (Cat4006, IDS).

I tried placing the access list on the PIX itself rather than the upstream router and it managed to log around 100,000+ hits on the icmp denial statement in just under 1 minute. I'm really surprised though because my captures from the pix logs which I use to feed machine info to our support team only seems to indicate about 20max clients left infected (we have about about 2500 clients).

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to jason.scott

‎10-26-2003 11:13 AM

Hi,

Another option you have is to enable ip verify unicast reversepath on the inside interface. It will deny/drop all the spoofed packets.

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card