RE: Nachi

From: "shane mullins" <tsmullins@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Thu, 20 Nov 2003 08:42:34 -0500
Another good answer Jim.  Thanks.  We have over 3200 machines on our WAN.
It has been impossible to keep EVERY single machine patched and updated.
So, I implented a rule on our IDS that flags NACHI and the we go and beat
the machine down.  We get about one new case a week now. Sometimes no new
cases.

Shane



----- Original Message ----- 
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 19, 2003 10:32 PM
Subject: [isalist] RE: Nachi


> http://www.ISAserver.org
>
> Ok, kids; quicherbichin' or I'll turn this alias around and no one will
get any McDonalds tonight..!
>
> Actually, you're both right:
> 1. DoS is exactly that; misuse a perfectly valid traffic profile to
prevent use of the server; Nachi is built to do this and it succeeds in
grand fashion because ISa is trying to process the traffic.
>
> 2. ISA has one big flaw that Nachi, Blaster and other viruses / worms have
taken advantage of; it considers the internal network as fully trusted.
This has been rethought for the future release, but it can't be changed for
ISA2000.
>
> What's the right answer?
> Try this to help your ISA withstand the jackasses that can't keep their
laptops clean:
>
> http://support.microsoft.com/default.aspx?scid=283213
>
>   Jim Harrison
>   MCP(NT4, W2K), A+, Network+, PCG
>   http://isaserver.org/Jim_Harrison/
>   http://isatools.org
>   Read the help / books / articles!
>
>
> On Wed, 19 Nov 2003 18:06:12 -0800
>  "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote:
> http://www.ISAserver.org
>
> Denying outbound ICMP is that, a rule to deny it from leaving ISA. It will
> still receive the request and process it, during which it sees it is not
> allowed and blocked.
>
>
>
> Do you understand what a Denial Of Service is? It is sending thousands of
> requests per second. If you were to have a network monitor on the wire
> during that time checking bandwidth used, you would have seen saturation.
>
>
>
> John Tolmachoff
>
> Engineer/Consultant/Owner
>
> eServices For You
>
>
>
> -----Original Message-----
> From: Phill Hardstaff [mailto:phillh@xxxxxxx]
> Sent: Wednesday, November 19, 2003 5:52 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Nachi
>
>
>
> http://www.ISAserver.org
>
> OK, but I think my question is still valid, 2 infected boxes over a 128Kb
> link can bring ISA to it's knees :) Sorry, but like I said,  if it was a
lot
> of boxes on it's 100Mb interface I could understand it. As for the next
post
> about keeping AV up to date, well, this was a consultants machine that
> someone just plugged onto our network without asking, not much you can do
> about that. You can tell people as much as you like not to but they can
> still do it, it was XP box with no patches or SP. All our machines are up
to
> date and we use SUS, what else am I supposed to do :)
>
>
>
> Anyway, I am still sorting it out but after putting in this registry entry
> <http://support.microsoft.com/default.aspx?scid=kb;en-us;283213>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;283213 for
Blocking
> and Logging Outbound ICMP Traffic outlined here and rebooting it seems to
> handle it a bit better, but I still don't understand what this registry
> enrty does that the deny ICMP out doesn't do ?
>
>
>
> Cheers
>
>
>
> Phill
>
>
>
>   _____
>
> From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, 20 November 2003 8:33 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Nachi
>
> http://www.ISAserver.org
>
> It is ICMP. Just because you are blocking it outbound does not stop the
> infected computer from trying to go out. Ever here of DOS? This is what it
> is doing.
>
>
>
>
>
>
>
> John Tolmachoff
>
> Engineer/Consultant/Owner
>
> eServices For You
>
>
>
> -----Original Message-----
> From: Phill Hardstaff [mailto:phillh@xxxxxxx]
> Sent: Wednesday, November 19, 2003 1:16 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Nachi
>
>
>
> http://www.ISAserver.org
>
> Can anyone tell me why the Nachi worm brings my ISA firewall to it's
knees,
> I have ICMP disabled outgoing but as soon as I get a machine behind the
> firewall with Nachi on it the firewall service goes to 100%, the server
> looks like it's dead but it's not, disconnect the internal NIC and it
comes
> back to life straight way, even if I disable my DNS server (behind the
> firewall) it still stays at 100%, so it's not ICMP and it's not DNS, so
what
> is it and more importantly how come ISA chokes on it so easily ?
>
> I could understand ISA choking on 100 Nachi boxes on a 100Mb internal link
> but yesterday I had 2 infected machines behind the firewall connected over
a
> 128Kb link taking the firewall service to 100% ?? I have even turned off
> logging and anything else that might use up CPU, still the same happens. I
> am seriously considering changing firewalls.
>
> Cheers
>
> Phill
>
> Phill Hardstaff
> MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc.
> Senior Support Engineer
> Secretariat of the Pacific Community
> B.P. D5
> Noumea Cedex - 98848
> New Caledonia
>
> Phone +687-260141
> Mobile +687 838091
> Fax +687-263818
> Email phillh@xxxxxxx
> SPC Web Page http://www.spc.int/
> Personal Web Page http://www.hardstaff.com/
> Personal Email Phill@xxxxxxxxxxxxx
> Personal Fax +1 (603) 299-5640
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> phillh@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003
>
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
>
> All mail from this domain is virus-scanned with RAV.
> www.ravantivirus.com
>
> ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
tsmullins@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
RE: Nachi

Other related posts:
