Nachi Worm apparently causes "Live Lock" on 4.7 server
pkdb1 at comcast.net
Thu Aug 28 21:23:58 PDT 2003
James C. Durham wrote:
> It turned out that we had several Windows boxes in the building that had been
> infected with the Nachi worm. This causes some kind of DOS or ping probe out
> onto the internet and the local LAN.
> Removing the inside interface's ethernet cable caused the ping times on the
> outside interface to go back to the normal .4 milliseconds to the router.
> Apparently, the blast of packets coming from the infected boxes managed to
> cause a "live lock" condition in the server. I assume it was interrupt bound
> servicing the inside interface. The packets were ICMP requests to various
I could be way off here, but is there any way to isolate machines
that send a sudden blast of packets, either by destination address
(make a firewall rule that drops those packets) or working out
their MAC addresses and dropping their connectivity? Or scan for
open ports and block unsecured systems from connecting?
> My questions is.. what, if any, is a technique for preventing this condition?
> I know, fix the windows boxes, but I can't continually check the status of
> the virus software and patch level of the Windows boxes. There are 250 plus
> of them and one of me. Users won't install upgrades even when warned this
> worm thing was coming. But, i'd like to prevent loss of service when one of
> Bill's boxes goes nuts!
Where I work, at the University of Washington, the network staff
were dropping as many as 200 machines *per day* off the network.
If a machine was found to have an open RPC port (we run an open
network), that was enough to get your network access cut off.
I realize these are political solutions more than technical ones,
but they may be of some use.
whois -h whois.networksolutions.com ha=pb202
Satellite Safety Tip #14:
If you see a bright streak in the sky coming at you, duck.
More information about the freebsd-questions