From owner-freebsd-questions@FreeBSD.ORG Thu Aug 28 21:32:51 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EB1E16A4BF for ; Thu, 28 Aug 2003 21:32:51 -0700 (PDT) Received: from tomts14-srv.bellnexxia.net (tomts14.bellnexxia.net [209.226.175.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5035343FCB for ; Thu, 28 Aug 2003 21:32:50 -0700 (PDT) (envelope-from matt@compar.com) Received: from hermes ([65.95.185.143]) by tomts14-srv.bellnexxia.net (InterMail vM.5.01.06.04 201-253-122-130-104-20030726) with SMTP id <20030829043249.UJZQ10012.tomts14-srv.bellnexxia.net@hermes>; Fri, 29 Aug 2003 00:32:49 -0400 Message-ID: <000501c36de6$5213a270$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "paul" , References: <200308282255.30730.durham@jcdurham.com> <3F4ED55C.6030605@comcast.net> Date: Fri, 29 Aug 2003 00:30:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-questions@freebsd.org Subject: Re: Nachi Worm apparently causes "Live Lock" on 4.7 server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 04:32:51 -0000 > James C. Durham wrote: > > > > > It turned out that we had several Windows boxes in the building that had been > > infected with the Nachi worm. This causes some kind of DOS or ping probe out > > onto the internet and the local LAN. > > > > Removing the inside interface's ethernet cable caused the ping times on the > > outside interface to go back to the normal .4 milliseconds to the router. > > > > Apparently, the blast of packets coming from the infected boxes managed to > > cause a "live lock" condition in the server. I assume it was interrupt bound > > servicing the inside interface. The packets were ICMP requests to various > > addresses. > > I could be way off here, but is there any way to isolate machines > that send a sudden blast of packets, either by destination address > (make a firewall rule that drops those packets) or working out > their MAC addresses and dropping their connectivity? Or scan for > open ports and block unsecured systems from connecting? > > > > My questions is.. what, if any, is a technique for preventing this condition? > > I know, fix the windows boxes, but I can't continually check the status of > > the virus software and patch level of the Windows boxes. There are 250 plus > > of them and one of me. Users won't install upgrades even when warned this > > worm thing was coming. But, i'd like to prevent loss of service when one of > > Bill's boxes goes nuts! > > Where I work, at the University of Washington, the network staff > were dropping as many as 200 machines *per day* off the network. > If a machine was found to have an open RPC port (we run an open > network), that was enough to get your network access cut off. > > I realize these are political solutions more than technical ones, > but they may be of some use. They were doing the same thing at the IBM location where I work. It's brutal if you are in the middle of something, but it's the only way to keep the latest breed of MS virii/worms/whatever from spreading. -- Matt Emmerton