Date: Thu, 28 Aug 2003 21:23:56 -0700 From: paul <pkdb1@comcast.net> To: durham@jcdurham.com Cc: freebsd-questions@freebsd.org Subject: Re: Nachi Worm apparently causes "Live Lock" on 4.7 server Message-ID: <3F4ED55C.6030605@comcast.net> In-Reply-To: <200308282255.30730.durham@jcdurham.com> References: <200308282255.30730.durham@jcdurham.com>
next in thread | previous in thread | raw e-mail | index | archive | help
James C. Durham wrote: > > It turned out that we had several Windows boxes in the building that had been > infected with the Nachi worm. This causes some kind of DOS or ping probe out > onto the internet and the local LAN. > > Removing the inside interface's ethernet cable caused the ping times on the > outside interface to go back to the normal .4 milliseconds to the router. > > Apparently, the blast of packets coming from the infected boxes managed to > cause a "live lock" condition in the server. I assume it was interrupt bound > servicing the inside interface. The packets were ICMP requests to various > addresses. I could be way off here, but is there any way to isolate machines that send a sudden blast of packets, either by destination address (make a firewall rule that drops those packets) or working out their MAC addresses and dropping their connectivity? Or scan for open ports and block unsecured systems from connecting? > > My questions is.. what, if any, is a technique for preventing this condition? > I know, fix the windows boxes, but I can't continually check the status of > the virus software and patch level of the Windows boxes. There are 250 plus > of them and one of me. Users won't install upgrades even when warned this > worm thing was coming. But, i'd like to prevent loss of service when one of > Bill's boxes goes nuts! Where I work, at the University of Washington, the network staff were dropping as many as 200 machines *per day* off the network. If a machine was found to have an open RPC port (we run an open network), that was enough to get your network access cut off. I realize these are political solutions more than technical ones, but they may be of some use. -- Paul Beard <http://paulbeard.no-ip.org/movabletype/> whois -h whois.networksolutions.com ha=pb202 Satellite Safety Tip #14: If you see a bright streak in the sky coming at you, duck.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F4ED55C.6030605>