James C. Durham wrote:
On 8/21, I noticed that internet connectity through our 4.7 FreeBSD gateway NAT box was getting REALLY slow. Checking with our T1 provider, there was only 128K of data stream (aprox) flowing out the T1. Ping times to the router on the external interface yielded times of up to 3 seconds!

This box is a Dell 2350 server with one 500mhz Pent 3 and 512 mg ram.

Running tcpdump on both the internal and external interfaces showed a very small number of ICMP packets flowing on either and virtually no IP.

My first conclusion...wrong..was that I had a bad ethernet card. Pulled server/gateway box off line and replaced the card. No difference.

It turned out that we had several Windows boxes in the building that had been infected with the Nachi worm. This causes some kind of DOS or ping probe out onto the internet and the local LAN.

Removing the inside interface's ethernet cable caused the ping times on the outside interface to go back to the normal .4 milliseconds to the router.

Apparently, the blast of packets coming from the infected boxes managed to cause a "live lock" condition in the server. I assume it was interrupt bound servicing the inside interface. The packets were ICMP requests to various addresses.

At one point, I substituted a Dell 2650 with 1 gig interfaces and 2 1800 mg Xeons at the gateway addresses and it bound up also. Speed seems not to be the answer 8-( .

My questions is.. what, if any, is a technique for preventing this condition? I know, fix the windows boxes, but I can't continually check the status of the virus software and patch level of the Windows boxes. There are 250 plus of them and one of me. Users won't install upgrades even when warned this worm thing was coming. But, i'd like to prevent loss of service when one of Bill's boxes goes nuts!

The inside interface is the 'xl' driver on a 3Com 3C905. Can it be run in polling mode or given lower interrupt priority?

BTW, it seems to only take about 3 infected windows boxes to bring things to a halt.


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Forget letting the users patch the systems you already pointed out their lack of concerne. Set Windows to automaticly retrive the updates (this might depend on the version of the OS) and install them. Next you can put personal firewalls (PF) on the systems preconfigured to only the applications you want to be able to get out on the internet.

If you don't want to go with the PF then watch for unusual activity over the network (let's say that anything after hours that causes things to get boggy and coming from a Windows machine) then create a rule that firewalls the activity so all doesn't get propagated to the wild. You can even have it email you this and then from there tunnel in to the network and shut down the machine(s) remotely.

As a side note. As the IT person become more proactive in the administration of systems. Those CDW commercials may be silly to watch but they are absolutely true.

Oh, a final solution...unless a system needs to have Windows then get 'em off of it.


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to