From owner-freebsd-questions@FreeBSD.ORG Thu Aug 28 21:23:58 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B48E216A4BF for ; Thu, 28 Aug 2003 21:23:58 -0700 (PDT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1C5043FD7 for ; Thu, 28 Aug 2003 21:23:57 -0700 (PDT) (envelope-from pkdb1@comcast.net) Received: from comcast.net (12-231-115-57.client.attbi.com[12.231.115.57](untrusted sender)) by comcast.net (sccrmhc13) with SMTP id <20030829042356016003er63e>; Fri, 29 Aug 2003 04:23:57 +0000 Message-ID: <3F4ED55C.6030605@comcast.net> Date: Thu, 28 Aug 2003 21:23:56 -0700 From: paul User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5a) Gecko/20030731 X-Accept-Language: en-us, en MIME-Version: 1.0 To: durham@jcdurham.com References: <200308282255.30730.durham@jcdurham.com> In-Reply-To: <200308282255.30730.durham@jcdurham.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Nachi Worm apparently causes "Live Lock" on 4.7 server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 04:23:58 -0000 James C. Durham wrote: > > It turned out that we had several Windows boxes in the building that had been > infected with the Nachi worm. This causes some kind of DOS or ping probe out > onto the internet and the local LAN. > > Removing the inside interface's ethernet cable caused the ping times on the > outside interface to go back to the normal .4 milliseconds to the router. > > Apparently, the blast of packets coming from the infected boxes managed to > cause a "live lock" condition in the server. I assume it was interrupt bound > servicing the inside interface. The packets were ICMP requests to various > addresses. I could be way off here, but is there any way to isolate machines that send a sudden blast of packets, either by destination address (make a firewall rule that drops those packets) or working out their MAC addresses and dropping their connectivity? Or scan for open ports and block unsecured systems from connecting? > > My questions is.. what, if any, is a technique for preventing this condition? > I know, fix the windows boxes, but I can't continually check the status of > the virus software and patch level of the Windows boxes. There are 250 plus > of them and one of me. Users won't install upgrades even when warned this > worm thing was coming. But, i'd like to prevent loss of service when one of > Bill's boxes goes nuts! Where I work, at the University of Washington, the network staff were dropping as many as 200 machines *per day* off the network. If a machine was found to have an open RPC port (we run an open network), that was enough to get your network access cut off. I realize these are political solutions more than technical ones, but they may be of some use. -- Paul Beard whois -h whois.networksolutions.com ha=pb202 Satellite Safety Tip #14: If you see a bright streak in the sky coming at you, duck.