RE: Nachi

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 20 Nov 2003 05:53:04 -0800

ubechaubet!

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Wed, 19 Nov 2003 22:07:57 -0600
 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Dude,

Future release AKA http://www.microsoft.com/isaserver/beta/default.asp

:-)

Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Wednesday, November 19, 2003 9:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nachi


http://www.ISAserver.org

Ok, kids; quicherbichin' or I'll turn this alias around and no one will
get any McDonalds tonight..!

Actually, you're both right:
1. DoS is exactly that; misuse a perfectly valid traffic profile to
prevent use of the server; Nachi is built to do this and it succeeds in
grand fashion because ISa is trying to process the traffic.

2. ISA has one big flaw that Nachi, Blaster and other viruses / worms
have taken advantage of; it considers the internal network as fully
trusted.  This has been rethought for the future release, but it can't
be changed for ISA2000.

What's the right answer?
Try this to help your ISA withstand the jackasses that can't keep their
laptops clean:

http://support.microsoft.com/default.aspx?scid=283213

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Wed, 19 Nov 2003 18:06:12 -0800
 "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Denying outbound ICMP is that, a rule to deny it from leaving ISA. It
will
still receive the request and process it, during which it sees it is not
allowed and blocked.

 

Do you understand what a Denial Of Service is? It is sending thousands
of
requests per second. If you were to have a network monitor on the wire
during that time checking bandwidth used, you would have seen
saturation.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Phill Hardstaff [mailto:phillh@xxxxxxx] 
Sent: Wednesday, November 19, 2003 5:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nachi

 

http://www.ISAserver.org

OK, but I think my question is still valid, 2 infected boxes over a
128Kb
link can bring ISA to it's knees :) Sorry, but like I said,  if it was a
lot
of boxes on it's 100Mb interface I could understand it. As for the next
post
about keeping AV up to date, well, this was a consultants machine that
someone just plugged onto our network without asking, not much you can
do
about that. You can tell people as much as you like not to but they can
still do it, it was XP box with no patches or SP. All our machines are
up to
date and we use SUS, what else am I supposed to do :)

 

Anyway, I am still sorting it out but after putting in this registry
entry
<http://support.microsoft.com/default.aspx?scid=kb;en-us;283213>
http://support.microsoft.com/default.aspx?scid=kb;en-us;283213 for
Blocking
and Logging Outbound ICMP Traffic outlined here and rebooting it seems
to
handle it a bit better, but I still don't understand what this registry
enrty does that the deny ICMP out doesn't do ?

 

Cheers

 

Phill

 

  _____  

From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, 20 November 2003 8:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nachi

http://www.ISAserver.org

It is ICMP. Just because you are blocking it outbound does not stop the
infected computer from trying to go out. Ever here of DOS? This is what
it
is doing.

 

 

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Phill Hardstaff [mailto:phillh@xxxxxxx] 
Sent: Wednesday, November 19, 2003 1:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Nachi

 

http://www.ISAserver.org

Can anyone tell me why the Nachi worm brings my ISA firewall to it's
knees,
I have ICMP disabled outgoing but as soon as I get a machine behind the
firewall with Nachi on it the firewall service goes to 100%, the server
looks like it's dead but it's not, disconnect the internal NIC and it
comes
back to life straight way, even if I disable my DNS server (behind the
firewall) it still stays at 100%, so it's not ICMP and it's not DNS, so
what
is it and more importantly how come ISA chokes on it so easily ?

I could understand ISA choking on 100 Nachi boxes on a 100Mb internal
link
but yesterday I had 2 infected machines behind the firewall connected
over a
128Kb link taking the firewall service to 100% ?? I have even turned off
logging and anything else that might use up CPU, still the same happens.
I
am seriously considering changing firewalls.

Cheers 

Phill 

Phill Hardstaff 
MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc. 
Senior Support Engineer 
Secretariat of the Pacific Community 
B.P. D5 
Noumea Cedex - 98848 
New Caledonia 

Phone +687-260141 
Mobile +687 838091 
Fax +687-263818 
Email phillh@xxxxxxx 
SPC Web Page http://www.spc.int/ 
Personal Web Page http://www.hardstaff.com/ 
Personal Email Phill@xxxxxxxxxxxxx 
Personal Fax +1 (603) 299-5640 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003
  

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
phillh@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

Other related posts:

• » Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi

1. Home
2. isalist
3. Archive
4. 11-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---