Another good answer Jim. Thanks. We have over 3200 machines on our WAN. It has been impossible to keep EVERY single machine patched and updated. So, I implented a rule on our IDS that flags NACHI and the we go and beat the machine down. We get about one new case a week now. Sometimes no new cases. Shane ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 19, 2003 10:32 PM Subject: [isalist] RE: Nachi > http://www.ISAserver.org > > Ok, kids; quicherbichin' or I'll turn this alias around and no one will get any McDonalds tonight..! > > Actually, you're both right: > 1. DoS is exactly that; misuse a perfectly valid traffic profile to prevent use of the server; Nachi is built to do this and it succeeds in grand fashion because ISa is trying to process the traffic. > > 2. ISA has one big flaw that Nachi, Blaster and other viruses / worms have taken advantage of; it considers the internal network as fully trusted. This has been rethought for the future release, but it can't be changed for ISA2000. > > What's the right answer? > Try this to help your ISA withstand the jackasses that can't keep their laptops clean: > > http://support.microsoft.com/default.aspx?scid=283213 > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > On Wed, 19 Nov 2003 18:06:12 -0800 > "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote: > http://www.ISAserver.org > > Denying outbound ICMP is that, a rule to deny it from leaving ISA. It will > still receive the request and process it, during which it sees it is not > allowed and blocked. > > > > Do you understand what a Denial Of Service is? It is sending thousands of > requests per second. If you were to have a network monitor on the wire > during that time checking bandwidth used, you would have seen saturation. > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > -----Original Message----- > From: Phill Hardstaff [mailto:phillh@xxxxxxx] > Sent: Wednesday, November 19, 2003 5:52 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Nachi > > > > http://www.ISAserver.org > > OK, but I think my question is still valid, 2 infected boxes over a 128Kb > link can bring ISA to it's knees :) Sorry, but like I said, if it was a lot > of boxes on it's 100Mb interface I could understand it. As for the next post > about keeping AV up to date, well, this was a consultants machine that > someone just plugged onto our network without asking, not much you can do > about that. You can tell people as much as you like not to but they can > still do it, it was XP box with no patches or SP. All our machines are up to > date and we use SUS, what else am I supposed to do :) > > > > Anyway, I am still sorting it out but after putting in this registry entry > <http://support.microsoft.com/default.aspx?scid=kb;en-us;283213> > http://support.microsoft.com/default.aspx?scid=kb;en-us;283213 for Blocking > and Logging Outbound ICMP Traffic outlined here and rebooting it seems to > handle it a bit better, but I still don't understand what this registry > enrty does that the deny ICMP out doesn't do ? > > > > Cheers > > > > Phill > > > > _____ > > From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] > Sent: Thursday, 20 November 2003 8:33 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Nachi > > http://www.ISAserver.org > > It is ICMP. Just because you are blocking it outbound does not stop the > infected computer from trying to go out. Ever here of DOS? This is what it > is doing. > > > > > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > -----Original Message----- > From: Phill Hardstaff [mailto:phillh@xxxxxxx] > Sent: Wednesday, November 19, 2003 1:16 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Nachi > > > > http://www.ISAserver.org > > Can anyone tell me why the Nachi worm brings my ISA firewall to it's knees, > I have ICMP disabled outgoing but as soon as I get a machine behind the > firewall with Nachi on it the firewall service goes to 100%, the server > looks like it's dead but it's not, disconnect the internal NIC and it comes > back to life straight way, even if I disable my DNS server (behind the > firewall) it still stays at 100%, so it's not ICMP and it's not DNS, so what > is it and more importantly how come ISA chokes on it so easily ? > > I could understand ISA choking on 100 Nachi boxes on a 100Mb internal link > but yesterday I had 2 infected machines behind the firewall connected over a > 128Kb link taking the firewall service to 100% ?? I have even turned off > logging and anything else that might use up CPU, still the same happens. I > am seriously considering changing firewalls. > > Cheers > > Phill > > Phill Hardstaff > MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc. > Senior Support Engineer > Secretariat of the Pacific Community > B.P. D5 > Noumea Cedex - 98848 > New Caledonia > > Phone +687-260141 > Mobile +687 838091 > Fax +687-263818 > Email phillh@xxxxxxx > SPC Web Page http://www.spc.int/ > Personal Web Page http://www.hardstaff.com/ > Personal Email Phill@xxxxxxxxxxxxx > Personal Fax +1 (603) 299-5640 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003 > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > phillh@xxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003 > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003 > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* > > All mail from this domain is virus-scanned with RAV. > www.ravantivirus.com > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: tsmullins@xxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > >