Date: Thu, 28 Aug 2003 22:55:30 +0000 From: "James C. Durham" <durham@jcdurham.com> To: freebsd-questions@freebsd.org Subject: Nachi Worm apparently causes "Live Lock" on 4.7 server Message-ID: <200308282255.30730.durham@jcdurham.com>
next in thread | raw e-mail | index | archive | help
On 8/21, I noticed that internet connectity through our 4.7 FreeBSD gateway NAT box was getting REALLY slow. Checking with our T1 provider, there was only 128K of data stream (aprox) flowing out the T1. Ping times to the router on the external interface yielded times of up to 3 seconds! This box is a Dell 2350 server with one 500mhz Pent 3 and 512 mg ram. Running tcpdump on both the internal and external interfaces showed a very small number of ICMP packets flowing on either and virtually no IP. My first conclusion...wrong..was that I had a bad ethernet card. Pulled server/gateway box off line and replaced the card. No difference. It turned out that we had several Windows boxes in the building that had been infected with the Nachi worm. This causes some kind of DOS or ping probe out onto the internet and the local LAN. Removing the inside interface's ethernet cable caused the ping times on the outside interface to go back to the normal .4 milliseconds to the router. Apparently, the blast of packets coming from the infected boxes managed to cause a "live lock" condition in the server. I assume it was interrupt bound servicing the inside interface. The packets were ICMP requests to various addresses. At one point, I substituted a Dell 2650 with 1 gig interfaces and 2 1800 mg Xeons at the gateway addresses and it bound up also. Speed seems not to be the answer 8-( . My questions is.. what, if any, is a technique for preventing this condition? I know, fix the windows boxes, but I can't continually check the status of the virus software and patch level of the Windows boxes. There are 250 plus of them and one of me. Users won't install upgrades even when warned this worm thing was coming. But, i'd like to prevent loss of service when one of Bill's boxes goes nuts! The inside interface is the 'xl' driver on a 3Com 3C905. Can it be run in polling mode or given lower interrupt priority? BTW, it seems to only take about 3 infected windows boxes to bring things to a halt. -Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308282255.30730.durham>