Nachi Worm apparently causes "Live Lock" on 4.7 server

paul beard paulbeard at
Thu Aug 28 22:14:36 PDT 2003

James C. Durham wrote:
> On Friday 29 August 2003 04:23 am, paul wrote:
>>James C. Durham wrote:
>>>It turned out that we had several Windows boxes in the building that had
>>>been infected with the Nachi worm. This causes some kind of DOS or ping
>>>probe out onto the internet and the local LAN.
>>>Removing the inside interface's ethernet cable caused the ping times on
>>>the outside interface to go back to the normal .4 milliseconds to the
>>>Apparently, the blast of packets coming from the infected boxes managed
>>>to cause a "live lock" condition in the server. I assume it was interrupt
>>>bound servicing the inside interface. The packets were ICMP requests to
>>>various addresses.
>>I could be way off here, but is there any way to isolate machines
>>that send a sudden blast of packets, either by destination address
>>(make a firewall rule that drops those packets) or working out
>>their MAC addresses and dropping their connectivity? Or scan for
>>open ports and block unsecured systems from connecting?
> What I did was go in the switch room and look for pulsing lights on the switch 
> ports and pull the cables. That fixed it, but after much agony.

well, that's a bit draconian, but effective ;-)

>>>My questions is.. what, if any, is a technique for preventing this
>>>condition? I know, fix the windows boxes, but  I can't continually check
>>>the status of the virus software and patch level of the Windows boxes.
>>>There are 250 plus of them and one of me. Users won't install upgrades
>>>even when warned this worm thing was coming. But, i'd like to prevent
>>>loss of service when one of Bill's boxes goes nuts!
>>Where I work, at the University of Washington, the network staff
>>were dropping as many as 200 machines *per day* off the network.
>>If a machine was found to have an open RPC port (we run an open
>>network), that was enough to get your network access cut off.
>>I realize these are political solutions more than technical ones,
>>but they may be of some use.
> The trouble with that is that my users are largely untechnical and wouldn't 
> have a clue what RPC is and cutting them off is not an option. Welcome to the 
> world of corporate IT! It ain't a pretty job, but it pays the bills...

been there, done that, the bruises have gone down now . . .

One guy to 250 users is a bad ratio.

It seems like there should be some centralized, ie, rule-based 
controls you can put in place. And you should have some leverage 
to force autoupdates on those client machines.

> I got the impression from some reading on Google Groups that there may be a 
> way to tell the xl driver to use polling. I just don't know how.

Well, this is the right place to ask.

Paul Beard
whois -h ha=pb202

Receiving a million dollars tax free will make you feel better than
being flat broke and having a stomach ache.
		-- Dolph Sharp, "I'm O.K., You're Not So Hot"

More information about the freebsd-questions mailing list