James C. Durham wrote:


It turned out that we had several Windows boxes in the building that had been infected with the Nachi worm. This causes some kind of DOS or ping probe out onto the internet and the local LAN.


Removing the inside interface's ethernet cable caused the ping times on the outside interface to go back to the normal .4 milliseconds to the router.

Apparently, the blast of packets coming from the infected boxes managed to cause a "live lock" condition in the server. I assume it was interrupt bound servicing the inside interface. The packets were ICMP requests to various addresses.

I could be way off here, but is there any way to isolate machines that send a sudden blast of packets, either by destination address (make a firewall rule that drops those packets) or working out their MAC addresses and dropping their connectivity? Or scan for open ports and block unsecured systems from connecting?

My questions is.. what, if any, is a technique for preventing this condition? I know, fix the windows boxes, but I can't continually check the status of the virus software and patch level of the Windows boxes. There are 250 plus of them and one of me. Users won't install upgrades even when warned this worm thing was coming. But, i'd like to prevent loss of service when one of Bill's boxes goes nuts!

Where I work, at the University of Washington, the network staff were dropping as many as 200 machines *per day* off the network. If a machine was found to have an open RPC port (we run an open network), that was enough to get your network access cut off.


I realize these are political solutions more than technical ones, but they may be of some use.
--
Paul Beard
<http://paulbeard.no-ip.org/movabletype/>
whois -h whois.networksolutions.com ha=pb202


Satellite Safety Tip #14:
        If you see a bright streak in the sky coming at you, duck.

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to