Ok, kids; quicherbichin' or I'll turn this alias around and no one will get any McDonalds tonight..! Actually, you're both right: 1. DoS is exactly that; misuse a perfectly valid traffic profile to prevent use of the server; Nachi is built to do this and it succeeds in grand fashion because ISa is trying to process the traffic. 2. ISA has one big flaw that Nachi, Blaster and other viruses / worms have taken advantage of; it considers the internal network as fully trusted. This has been rethought for the future release, but it can't be changed for ISA2000. What's the right answer? Try this to help your ISA withstand the jackasses that can't keep their laptops clean: http://support.microsoft.com/default.aspx?scid=283213 Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Wed, 19 Nov 2003 18:06:12 -0800 "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Denying outbound ICMP is that, a rule to deny it from leaving ISA. It will still receive the request and process it, during which it sees it is not allowed and blocked. Do you understand what a Denial Of Service is? It is sending thousands of requests per second. If you were to have a network monitor on the wire during that time checking bandwidth used, you would have seen saturation. John Tolmachoff Engineer/Consultant/Owner eServices For You -----Original Message----- From: Phill Hardstaff [mailto:phillh@xxxxxxx] Sent: Wednesday, November 19, 2003 5:52 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Nachi http://www.ISAserver.org OK, but I think my question is still valid, 2 infected boxes over a 128Kb link can bring ISA to it's knees :) Sorry, but like I said, if it was a lot of boxes on it's 100Mb interface I could understand it. As for the next post about keeping AV up to date, well, this was a consultants machine that someone just plugged onto our network without asking, not much you can do about that. You can tell people as much as you like not to but they can still do it, it was XP box with no patches or SP. All our machines are up to date and we use SUS, what else am I supposed to do :) Anyway, I am still sorting it out but after putting in this registry entry <http://support.microsoft.com/default.aspx?scid=kb;en-us;283213> http://support.microsoft.com/default.aspx?scid=kb;en-us;283213 for Blocking and Logging Outbound ICMP Traffic outlined here and rebooting it seems to handle it a bit better, but I still don't understand what this registry enrty does that the deny ICMP out doesn't do ? Cheers Phill _____ From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, 20 November 2003 8:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Nachi http://www.ISAserver.org It is ICMP. Just because you are blocking it outbound does not stop the infected computer from trying to go out. Ever here of DOS? This is what it is doing. John Tolmachoff Engineer/Consultant/Owner eServices For You -----Original Message----- From: Phill Hardstaff [mailto:phillh@xxxxxxx] Sent: Wednesday, November 19, 2003 1:16 PM To: [ISAserver.org Discussion List] Subject: [isalist] Nachi http://www.ISAserver.org Can anyone tell me why the Nachi worm brings my ISA firewall to it's knees, I have ICMP disabled outgoing but as soon as I get a machine behind the firewall with Nachi on it the firewall service goes to 100%, the server looks like it's dead but it's not, disconnect the internal NIC and it comes back to life straight way, even if I disable my DNS server (behind the firewall) it still stays at 100%, so it's not ICMP and it's not DNS, so what is it and more importantly how come ISA chokes on it so easily ? I could understand ISA choking on 100 Nachi boxes on a 100Mb internal link but yesterday I had 2 infected machines behind the firewall connected over a 128Kb link taking the firewall service to 100% ?? I have even turned off logging and anything else that might use up CPU, still the same happens. I am seriously considering changing firewalls. Cheers Phill Phill Hardstaff MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc. Senior Support Engineer Secretariat of the Pacific Community B.P. D5 Noumea Cedex - 98848 New Caledonia Phone +687-260141 Mobile +687 838091 Fax +687-263818 Email phillh@xxxxxxx SPC Web Page http://www.spc.int/ Personal Web Page http://www.hardstaff.com/ Personal Email Phill@xxxxxxxxxxxxx Personal Fax +1 (603) 299-5640 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: phillh@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*