A method and apparatus for enabling a network security service and network security infrastructure to detect, identify, mitigate, neutralize, and disable worms through distributed worm probes that can be linked to centralized monitoring systems for emergency response process is disclosed. The worm probes track packets with destination unreachable errors on a per source IP address basis. In one embodiment, when the number of such errors exceeds a predefined local threshold, e.g., within a predefined local time period at a worm probe, the count of such errors as well as the source IP address will be sent to all other worm probes in the network as an alert. When the number of such errors exceeds a predefined global threshold, e.g., within a predefined global time period, traffic from the endpoint device with the identified source IP address will be blocked to prevent that endpoint device from spreading worms further.