Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

COURTESY ALERT: High Number of ICMP Sessions in Session Table



Article ID: KB6703 KB Last Updated: 13 Aug 2010Version: 4.0
COURTESY ALERT: High Number of ICMP Sessions in Session Table


  • nachi worm
  • session limit
  • high number of ICMP sessions in session table
  • w32 blaster worm
  • welchia worm

Symptoms & Errors:

  • increased number of ping sweeps, where one source IP incrementally pings an entire /16 range
  • steady increase in the number of ICMP Echo Requests (type 8 code 0) being directed against random source addresses

Some customers have reported seeing unusually high number of ICMP sessions in the NetScreen firewall session table. This is believed to cause by the variation of w32 blaster worm called Nachi worm (a.k.a., welchia worm).

In the low end devices such as, but not limited to, 5, 5XP, 5XT, 5GT, and 25, the session table could be easily fill up by the infected PC.

Measures should be taken by the users to block all of the ports used by the recent w32 worm virus, particularly TCP 135, UDP 69 and other ports listed by CERT Advisory from leaving and entering the perimeter network devices.

Desktop PCs should get the latest update from their respective vendors to clean and prevent the PCs from being infected.

Policy can be added on the firewall to denied ICMP packets or at least the ICMP echo request from leaving the firewall and entering to the internal network.

Enforce perimeter network device filtering such as on the routers and firewall as per RFC 2267 recommendation.

Excerpt from Internet Storm Center

Over the last few hours, sensors detected a remarkable increase in ICMP traffic. At this point, we assume that the traffic is linked to the 'Nachi' worm: The worm is also known as 'Welchia' (

While the investigation is still in progress, we did identify so far the following characteristics:
- some of the traffic is spoofed
- the data content is all '170' (0xAA)
- ICMP echo requests (type 8, code 0)

Virus Information from ISS

Virus Information
Virus Name  Risk Assessment
W32/Nachi.worm  Corporate User  :  Medium
Home User  :  Medium

Virus Information
Discovery Date:  08/18/2003
Origin:  Unknown
Length:  10,240 bytes (UPXed)
Type:  Virus
SubType:  Internet Worm
Minimum DAT:
Release Date:  4286
Minimum Engine:  4.1.60
Description Added:  08/18/2003
Description Modified:  08/18/2003 10:53 AM (PT)

Virus Characteristics:
This detection is for another virus that exploits the MS03-026 vulnerability.

It is not related to the W32/Lovsan.worm.d variant described here.

The virus is detected by the current Daily DATs as Exploit-DcomRpc virus (with scanning of compressed files enabled).

Intentions of the worm
This worm tries spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole. When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.<. /P>

large volumes of ICMP traffic in network
existence of the files and Windows services detailed above

Method Of Infection
This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local subnet (port 135) for target machines. It sends an ICMP ping to potential victim machines, and upon a reply, sends the exploit data. A remote shell is created on the target system on TCP port 707. Victim machines are instructed to download the worm via TFTP.

Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed.

NetScreen is not affiliated with Internet Storm Center, and is not responsible for the content on any of their sites.  The above information is provided only as a courtesy to our common customers.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search