Date: Fri, 29 Aug 2003 00:30:48 -0400 From: "Matthew Emmerton" <matt@compar.com> To: "paul" <pkdb1@comcast.net>, <durham@jcdurham.com> Cc: freebsd-questions@freebsd.org Subject: Re: Nachi Worm apparently causes "Live Lock" on 4.7 server Message-ID: <000501c36de6$5213a270$1200a8c0@gsicomp.on.ca> References: <200308282255.30730.durham@jcdurham.com> <3F4ED55C.6030605@comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> James C. Durham wrote: > > > > > It turned out that we had several Windows boxes in the building that had been > > infected with the Nachi worm. This causes some kind of DOS or ping probe out > > onto the internet and the local LAN. > > > > Removing the inside interface's ethernet cable caused the ping times on the > > outside interface to go back to the normal .4 milliseconds to the router. > > > > Apparently, the blast of packets coming from the infected boxes managed to > > cause a "live lock" condition in the server. I assume it was interrupt bound > > servicing the inside interface. The packets were ICMP requests to various > > addresses. > > I could be way off here, but is there any way to isolate machines > that send a sudden blast of packets, either by destination address > (make a firewall rule that drops those packets) or working out > their MAC addresses and dropping their connectivity? Or scan for > open ports and block unsecured systems from connecting? > > > > My questions is.. what, if any, is a technique for preventing this condition? > > I know, fix the windows boxes, but I can't continually check the status of > > the virus software and patch level of the Windows boxes. There are 250 plus > > of them and one of me. Users won't install upgrades even when warned this > > worm thing was coming. But, i'd like to prevent loss of service when one of > > Bill's boxes goes nuts! > > Where I work, at the University of Washington, the network staff > were dropping as many as 200 machines *per day* off the network. > If a machine was found to have an open RPC port (we run an open > network), that was enough to get your network access cut off. > > I realize these are political solutions more than technical ones, > but they may be of some use. They were doing the same thing at the IBM location where I work. It's brutal if you are in the middle of something, but it's the only way to keep the latest breed of MS virii/worms/whatever from spreading. -- Matt Emmerton
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000501c36de6$5213a270$1200a8c0>