RE: Nachi

• From: "Ray Dzek" <rdzek@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 19 Nov 2003 14:25:17 -0800

NachiI had the same problem.  We only had 3 infected boxes and ISA completely 
crumbled under the ICMP load.  To make matters worse, because of the lack of 
any realtime information that ISA gives about about what is going in and out, 
we had to use network monitor to figure out which internal machines were 
actually infected.  ISA's logs kept showing the ICMP traffic as originating on 
the it's own interface and would not show the IP of where the ICMP traffic was 
originating from inside our LAN.  It was most frustrating.

I feel your pain.
  ----- Original Message ----- 
  From: John Tolmachoff (Lists) 
  To: [ISAserver.org Discussion List] 
  Sent: Wednesday, November 19, 2003 1:33 PM
  Subject: [isalist] RE: Nachi


  http://www.ISAserver.org

  It is ICMP. Just because you are blocking it outbound does not stop the 
infected computer from trying to go out. Ever here of DOS? This is what it is 
doing.







  John Tolmachoff

  Engineer/Consultant/Owner

  eServices For You



  -----Original Message-----
  From: Phill Hardstaff [mailto:phillh@xxxxxxx] 
  Sent: Wednesday, November 19, 2003 1:16 PM
  To: [ISAserver.org Discussion List]
  Subject: [isalist] Nachi



  http://www.ISAserver.org

  Can anyone tell me why the Nachi worm brings my ISA firewall to it's knees, I 
have ICMP disabled outgoing but as soon as I get a machine behind the firewall 
with Nachi on it the firewall service goes to 100%, the server looks like it's 
dead but it's not, disconnect the internal NIC and it comes back to life 
straight way, even if I disable my DNS server (behind the firewall) it still 
stays at 100%, so it's not ICMP and it's not DNS, so what is it and more 
importantly how come ISA chokes on it so easily ?

  I could understand ISA choking on 100 Nachi boxes on a 100Mb internal link 
but yesterday I had 2 infected machines behind the firewall connected over a 
128Kb link taking the firewall service to 100% ?? I have even turned off 
logging and anything else that might use up CPU, still the same happens. I am 
seriously considering changing firewalls.

  Cheers 

  Phill 

  Phill Hardstaff 
  MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc. 
  Senior Support Engineer 
  Secretariat of the Pacific Community 
  B.P. D5 
  Noumea Cedex - 98848 
  New Caledonia 

  Phone +687-260141 
  Mobile +687 838091 
  Fax +687-263818 
  Email phillh@xxxxxxx 
  SPC Web Page http://www.spc.int/ 
  Personal Web Page http://www.hardstaff.com/ 
  Personal Email Phill@xxxxxxxxxxxxx 
  Personal Fax +1 (603) 299-5640 

  ---
  Outgoing mail is certified Virus Free.
  Checked by AVG anti-virus system (http://www.grisoft.com).
  Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003
    

  ------------------------------------------------------
  List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
  ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
  ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
  ------------------------------------------------------
  Other Internet Software Marketing Sites:
  Leading Network Software Directory: http://www.serverfiles.com
  No.1 Exchange Server Resource Site: http://www.msexchange.org
  Windows Security Resource Site: http://www.windowsecurity.com/
  Network Security Library: http://www.secinf.net/
  Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
johnlist@xxxxxxxxxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

  ------------------------------------------------------
  List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
  ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
  ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
  ------------------------------------------------------
  Other Internet Software Marketing Sites:
  Leading Network Software Directory: http://www.serverfiles.com
  No.1 Exchange Server Resource Site: http://www.msexchange.org
  Windows Security Resource Site: http://www.windowsecurity.com/
  Network Security Library: http://www.secinf.net/
  Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
rdzek@xxxxxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi

1. Home
2. isalist
3. Archive
4. 11-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---