Increase in traffic to/from DSL subs since August?

Gary Attard garya at
Fri Nov 21 15:15:58 UTC 2003

Improperly patched machines infected with Nachi (aka Welchia) have been
noted transmitting in excess of 500,000 ICMP echo requests via Class B
alphabet lookups per hour. The one characteristic of Nachi that simplifies
the identification of the infected machines is the fact that each of these
echo requests are 92 byte pings. Any monitoring tools or packet sniffers
configured to look for these 92 byte pings will greatly simplify the
identification of the specific source addresses.

-----Original Message-----
From: owner-nanog at [mailto:owner-nanog at]On Behalf Of
Suresh Ramasubramanian
Sent: Thursday, November 20, 2003 9:27 PM
Cc: nanog at
Subject: Re: Increase in traffic to/from DSL subs since August?

Steven M. Bellovin writes on 11/20/2003 4:28 PM:

> At the IETF Plenary, Bernard Aboba showed a graph of spam, with a
> marked uptick since SoBig.F in August.  My guess is worm-deposited spam
> relays, though Joel's guess of Nachi or Welchia can't be ruled out,
> either, without flow data.

A ballpark estimate from a couple of friends who run small cable ISPs in
India, and from a look at our mailserver log stats, says that yes, this
is mostly because of open proxies and trojans infecting unpatched
windows machines on broadband.  Swen, MiMail and Jeem.mail.pv seem to be
the worst offenders wrt spamming trojans, right now.

Nachi and Welchia are almost as bad.  I'd say blame can be split equally
between the two.

srs (postmaster|suresh) // gpg : EDEDEFB9
manager, security and antispam operations

More information about the NANOG mailing list