From owner-freebsd-questions@FreeBSD.ORG Thu Aug 28 22:14:36 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84C2116A4BF for ; Thu, 28 Aug 2003 22:14:36 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1F3F43FA3 for ; Thu, 28 Aug 2003 22:14:35 -0700 (PDT) (envelope-from paulbeard@mac.com) Received: from mac.com (12-231-115-57.client.attbi.com[12.231.115.57](untrusted sender)) by comcast.net (sccrmhc12) with SMTP id <2003082905143401200agfuse>; Fri, 29 Aug 2003 05:14:34 +0000 Message-ID: <3F4EE13A.6010807@mac.com> Date: Thu, 28 Aug 2003 22:14:34 -0700 From: paul beard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5a) Gecko/20030731 X-Accept-Language: en-us, en MIME-Version: 1.0 To: durham@jcdurham.com, questions References: <200308282255.30730.durham@jcdurham.com> <3F4ED55C.6030605@comcast.net> <200308290047.33808.durham@jcdurham.com> In-Reply-To: <200308290047.33808.durham@jcdurham.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Nachi Worm apparently causes "Live Lock" on 4.7 server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 05:14:36 -0000 James C. Durham wrote: > On Friday 29 August 2003 04:23 am, paul wrote: > >>James C. Durham wrote: >> >>>It turned out that we had several Windows boxes in the building that had >>>been infected with the Nachi worm. This causes some kind of DOS or ping >>>probe out onto the internet and the local LAN. >>> >>>Removing the inside interface's ethernet cable caused the ping times on >>>the outside interface to go back to the normal .4 milliseconds to the >>>router. >>> >>>Apparently, the blast of packets coming from the infected boxes managed >>>to cause a "live lock" condition in the server. I assume it was interrupt >>>bound servicing the inside interface. The packets were ICMP requests to >>>various addresses. >> >>I could be way off here, but is there any way to isolate machines >>that send a sudden blast of packets, either by destination address >>(make a firewall rule that drops those packets) or working out >>their MAC addresses and dropping their connectivity? Or scan for >>open ports and block unsecured systems from connecting? > > > What I did was go in the switch room and look for pulsing lights on the switch > ports and pull the cables. That fixed it, but after much agony. well, that's a bit draconian, but effective ;-) >>>My questions is.. what, if any, is a technique for preventing this >>>condition? I know, fix the windows boxes, but I can't continually check >>>the status of the virus software and patch level of the Windows boxes. >>>There are 250 plus of them and one of me. Users won't install upgrades >>>even when warned this worm thing was coming. But, i'd like to prevent >>>loss of service when one of Bill's boxes goes nuts! >> >>Where I work, at the University of Washington, the network staff >>were dropping as many as 200 machines *per day* off the network. >>If a machine was found to have an open RPC port (we run an open >>network), that was enough to get your network access cut off. >> >>I realize these are political solutions more than technical ones, >>but they may be of some use. > > > The trouble with that is that my users are largely untechnical and wouldn't > have a clue what RPC is and cutting them off is not an option. Welcome to the > world of corporate IT! It ain't a pretty job, but it pays the bills... been there, done that, the bruises have gone down now . . . One guy to 250 users is a bad ratio. It seems like there should be some centralized, ie, rule-based controls you can put in place. And you should have some leverage to force autoupdates on those client machines. > I got the impression from some reading on Google Groups that there may be a > way to tell the xl driver to use polling. I just don't know how. Well, this is the right place to ask. -- Paul Beard whois -h whois.networksolutions.com ha=pb202 Receiving a million dollars tax free will make you feel better than being flat broke and having a stomach ache. -- Dolph Sharp, "I'm O.K., You're Not So Hot"