I had to deal with this just recently. Shut down there link to your AP works ;-)
Blaster, Nachi and there variants are the problem. They first rearly there ugly heads but put out a flood of ICMP echo's on the systems. I can watch in on our router .... the port it spoofs are 256 and 512 but we can't block ICMP traffic on the router so ... The ICMP flood will bring your network to a crawl and cause other customers connections to drop right off. These ping echoes are looking for a new machine to infect - each ping probes an ip and the next probes that next ip up from that. Once the virus finds a vulnerable machine it THEN connects through ports 135 or 445 to pass the infection along. If the virus is already on your network then as soon as someone connects a new computer (sans service packs) it often gets infected before the service packs can be applied. We have now blocked 135, 136, 137, 138, 139, 445, and 593 in and out bound ports at our main router. Outgoing ports 135 and 445 can be blocked at the customers end too. Its especially easy with windows 2003 server. I don't know about the cheaper routers though. Software firewalls can help too. eg. the free version of ZoneAlarm can be installed on the infected machine since zone alarm, unlike many of cheaper hardware firewalls in broadband routers will block unauthorized outgoing traffic. ZoneAlarm for example once loaded will report the dllhost.exe (the infected file) is trying to assess the network - it should not be allow through. One of my customers running an older system reports the ZoneAlarm seem to be bogging it down. The bottom line is that the viruses have to be cleaned off immediately, a outbound firewall installed, or your customer should be disconnected until they remove the virus. Others may have some clarifications or other insights into this. I hope this helps Dan Good Virtual North Inc. ----- Original Message ----- From: "John K. McReynolds" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 26, 2003 10:00 AM Subject: Re: [smartBridges] Virus attacks > Andrew, > When you say it brings your network down, does it reduce it to a crawl or does > it effect the signal coming from the AP (effectively making the AP "beacon" for > a while, on/off/on/off, then lose signal from the AP totally)? We are having > similar issues and I am having one heck of a time figuring out what is > happening... > > Thanks, > > JOHN > > Quoting Andrew Goble <[EMAIL PROTECTED]>: > ><x> The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
