Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Aug 2003 22:14:34 -0700
From:      paul beard <paulbeard@mac.com>
To:        durham@jcdurham.com, questions <questions@freebsd.org>
Subject:   Re: Nachi Worm apparently causes "Live Lock" on 4.7 server
Message-ID:  <3F4EE13A.6010807@mac.com>
In-Reply-To: <200308290047.33808.durham@jcdurham.com>
References:  <200308282255.30730.durham@jcdurham.com> <3F4ED55C.6030605@comcast.net> <200308290047.33808.durham@jcdurham.com>

next in thread | previous in thread | raw e-mail | index | archive | help
James C. Durham wrote:
> On Friday 29 August 2003 04:23 am, paul wrote:
> 
>>James C. Durham wrote:
>>
>>>It turned out that we had several Windows boxes in the building that had
>>>been infected with the Nachi worm. This causes some kind of DOS or ping
>>>probe out onto the internet and the local LAN.
>>>
>>>Removing the inside interface's ethernet cable caused the ping times on
>>>the outside interface to go back to the normal .4 milliseconds to the
>>>router.
>>>
>>>Apparently, the blast of packets coming from the infected boxes managed
>>>to cause a "live lock" condition in the server. I assume it was interrupt
>>>bound servicing the inside interface. The packets were ICMP requests to
>>>various addresses.
>>
>>I could be way off here, but is there any way to isolate machines
>>that send a sudden blast of packets, either by destination address
>>(make a firewall rule that drops those packets) or working out
>>their MAC addresses and dropping their connectivity? Or scan for
>>open ports and block unsecured systems from connecting?
> 
> 
> What I did was go in the switch room and look for pulsing lights on the switch 
> ports and pull the cables. That fixed it, but after much agony.

well, that's a bit draconian, but effective ;-)

>>>My questions is.. what, if any, is a technique for preventing this
>>>condition? I know, fix the windows boxes, but  I can't continually check
>>>the status of the virus software and patch level of the Windows boxes.
>>>There are 250 plus of them and one of me. Users won't install upgrades
>>>even when warned this worm thing was coming. But, i'd like to prevent
>>>loss of service when one of Bill's boxes goes nuts!
>>
>>Where I work, at the University of Washington, the network staff
>>were dropping as many as 200 machines *per day* off the network.
>>If a machine was found to have an open RPC port (we run an open
>>network), that was enough to get your network access cut off.
>>
>>I realize these are political solutions more than technical ones,
>>but they may be of some use.
> 
> 
> The trouble with that is that my users are largely untechnical and wouldn't 
> have a clue what RPC is and cutting them off is not an option. Welcome to the 
> world of corporate IT! It ain't a pretty job, but it pays the bills...

been there, done that, the bruises have gone down now . . .

One guy to 250 users is a bad ratio.

It seems like there should be some centralized, ie, rule-based 
controls you can put in place. And you should have some leverage 
to force autoupdates on those client machines.

> I got the impression from some reading on Google Groups that there may be a 
> way to tell the xl driver to use polling. I just don't know how.

Well, this is the right place to ask.

-- 
Paul Beard
<http://paulbeard.no-ip.org/movabletype/>;
whois -h whois.networksolutions.com ha=pb202

Receiving a million dollars tax free will make you feel better than
being flat broke and having a stomach ache.
		-- Dolph Sharp, "I'm O.K., You're Not So Hot"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F4EE13A.6010807>