Nachi Worm apparently causes "Live Lock" on 4.7 server

K Anderson freebsduser at comcast.net
Thu Aug 28 20:48:03 PDT 2003 


James C. Durham wrote:
> On 8/21, I noticed that internet connectity through our 4.7 FreeBSD gateway 
> NAT box was getting REALLY slow. Checking with our T1 provider, there was 
> only 128K of data stream (aprox) flowing out the T1. Ping times to the router 
> on the external interface yielded times of up to 3 seconds!
> 
> This box is a Dell 2350 server with one 500mhz Pent 3 and 512 mg ram.
> 
> Running tcpdump on both the internal and external interfaces showed a very 
> small number of ICMP packets flowing on either and virtually no IP.
> 
> My first conclusion...wrong..was that I had a bad ethernet card. Pulled 
> server/gateway box off line and replaced the card. No difference.
> 
> It turned out that we had several Windows boxes in the building that had been 
> infected with the Nachi worm. This causes some kind of DOS or ping probe out 
> onto the internet and the local LAN.
> 
> Removing the inside interface's ethernet cable caused the ping times on the 
> outside interface to go back to the normal .4 milliseconds to the router.
> 
> Apparently, the blast of packets coming from the infected boxes managed to 
> cause a "live lock" condition in the server. I assume it was interrupt bound 
> servicing the inside interface. The packets were ICMP requests to various 
> addresses.
> 
> At one point, I substituted a Dell 2650 with 1 gig interfaces and 2 1800 mg 
> Xeons at the gateway addresses and it bound up also. Speed seems not to be 
> the answer 8-( .
> 
> My questions is.. what, if any, is a technique for preventing this condition? 
> I know, fix the windows boxes, but  I can't continually check the status of 
> the virus software and patch level of the Windows boxes. There are 250 plus 
> of them and one of me. Users won't install upgrades even when warned this 
> worm thing was coming. But, i'd like to prevent loss of service when one of 
> Bill's boxes goes nuts!
> 
> The inside interface is the 'xl' driver on a 3Com 3C905. Can it be run in 
> polling mode or given lower interrupt priority?
> 
> BTW, it seems to only take about 3 infected windows boxes to bring things to a 
> halt.
> 
> -Jim
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 
Forget letting the users patch the systems you already pointed out their 
lack of concerne. Set Windows to automaticly retrive the updates (this 
might depend on the version of the OS) and install them. Next you can 
put personal firewalls (PF) on the systems preconfigured to only the 
applications you want to be able to get out on the internet.

If you don't want to go with the PF then watch for unusual activity over 
the network (let's say that anything after hours that causes things to 
get boggy and coming from a Windows machine) then create a rule that 
firewalls the activity so all doesn't get propagated to the wild. You 
can even have it email you this and then from there tunnel in to the 
network and shut down the machine(s) remotely.

As a side note. As the IT person become more proactive in the 
administration of systems. Those CDW commercials may be silly to watch 
but they are absolutely true.

Oh, a final solution...unless a system needs to have Windows then get 
'em off of it.

HTH

More information about the freebsd-questions mailing list