> James C. Durham wrote: > > > > > It turned out that we had several Windows boxes in the building that had been > > infected with the Nachi worm. This causes some kind of DOS or ping probe out > > onto the internet and the local LAN. > > > > Removing the inside interface's ethernet cable caused the ping times on the > > outside interface to go back to the normal .4 milliseconds to the router. > > > > Apparently, the blast of packets coming from the infected boxes managed to > > cause a "live lock" condition in the server. I assume it was interrupt bound > > servicing the inside interface. The packets were ICMP requests to various > > addresses. > > I could be way off here, but is there any way to isolate machines > that send a sudden blast of packets, either by destination address > (make a firewall rule that drops those packets) or working out > their MAC addresses and dropping their connectivity? Or scan for > open ports and block unsecured systems from connecting? > > > > My questions is.. what, if any, is a technique for preventing this condition? > > I know, fix the windows boxes, but I can't continually check the status of > > the virus software and patch level of the Windows boxes. There are 250 plus > > of them and one of me. Users won't install upgrades even when warned this > > worm thing was coming. But, i'd like to prevent loss of service when one of > > Bill's boxes goes nuts! > > Where I work, at the University of Washington, the network staff > were dropping as many as 200 machines *per day* off the network. > If a machine was found to have an open RPC port (we run an open > network), that was enough to get your network access cut off. > > I realize these are political solutions more than technical ones, > but they may be of some use.
They were doing the same thing at the IBM location where I work. It's brutal if you are in the middle of something, but it's the only way to keep the latest breed of MS virii/worms/whatever from spreading. -- Matt Emmerton _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"