Nachi Worm apparently causes "Live Lock" on 4.7 server
matt at compar.com
Thu Aug 28 21:32:51 PDT 2003
> James C. Durham wrote:
> > It turned out that we had several Windows boxes in the building that had
> > infected with the Nachi worm. This causes some kind of DOS or ping probe
> > onto the internet and the local LAN.
> > Removing the inside interface's ethernet cable caused the ping times on
> > outside interface to go back to the normal .4 milliseconds to the
> > Apparently, the blast of packets coming from the infected boxes managed
> > cause a "live lock" condition in the server. I assume it was interrupt
> > servicing the inside interface. The packets were ICMP requests to
> > addresses.
> I could be way off here, but is there any way to isolate machines
> that send a sudden blast of packets, either by destination address
> (make a firewall rule that drops those packets) or working out
> their MAC addresses and dropping their connectivity? Or scan for
> open ports and block unsecured systems from connecting?
> > My questions is.. what, if any, is a technique for preventing this
> > I know, fix the windows boxes, but I can't continually check the status
> > the virus software and patch level of the Windows boxes. There are 250
> > of them and one of me. Users won't install upgrades even when warned
> > worm thing was coming. But, i'd like to prevent loss of service when one
> > Bill's boxes goes nuts!
> Where I work, at the University of Washington, the network staff
> were dropping as many as 200 machines *per day* off the network.
> If a machine was found to have an open RPC port (we run an open
> network), that was enough to get your network access cut off.
> I realize these are political solutions more than technical ones,
> but they may be of some use.
They were doing the same thing at the IBM location where I work. It's
brutal if you are in the middle of something, but it's the only way to keep
the latest breed of MS virii/worms/whatever from spreading.
More information about the freebsd-questions