RE: Nachi

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 19 Nov 2003 19:32:35 -0800

Ok, kids; quicherbichin' or I'll turn this alias around and no one will get any 
McDonalds tonight..!

Actually, you're both right:
1. DoS is exactly that; misuse a perfectly valid traffic profile to prevent use 
of the server; Nachi is built to do this and it succeeds in grand fashion 
because ISa is trying to process the traffic.

2. ISA has one big flaw that Nachi, Blaster and other viruses / worms have 
taken advantage of; it considers the internal network as fully trusted.  This 
has been rethought for the future release, but it can't be changed for ISA2000.

What's the right answer?
Try this to help your ISA withstand the jackasses that can't keep their laptops 
clean:

http://support.microsoft.com/default.aspx?scid=283213

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Wed, 19 Nov 2003 18:06:12 -0800
 "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Denying outbound ICMP is that, a rule to deny it from leaving ISA. It will
still receive the request and process it, during which it sees it is not
allowed and blocked.

 

Do you understand what a Denial Of Service is? It is sending thousands of
requests per second. If you were to have a network monitor on the wire
during that time checking bandwidth used, you would have seen saturation.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Phill Hardstaff [mailto:phillh@xxxxxxx] 
Sent: Wednesday, November 19, 2003 5:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nachi

 

http://www.ISAserver.org

OK, but I think my question is still valid, 2 infected boxes over a 128Kb
link can bring ISA to it's knees :) Sorry, but like I said,  if it was a lot
of boxes on it's 100Mb interface I could understand it. As for the next post
about keeping AV up to date, well, this was a consultants machine that
someone just plugged onto our network without asking, not much you can do
about that. You can tell people as much as you like not to but they can
still do it, it was XP box with no patches or SP. All our machines are up to
date and we use SUS, what else am I supposed to do :)

 

Anyway, I am still sorting it out but after putting in this registry entry
<http://support.microsoft.com/default.aspx?scid=kb;en-us;283213>
http://support.microsoft.com/default.aspx?scid=kb;en-us;283213 for Blocking
and Logging Outbound ICMP Traffic outlined here and rebooting it seems to
handle it a bit better, but I still don't understand what this registry
enrty does that the deny ICMP out doesn't do ?

 

Cheers

 

Phill

 

  _____  

From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, 20 November 2003 8:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nachi

http://www.ISAserver.org

It is ICMP. Just because you are blocking it outbound does not stop the
infected computer from trying to go out. Ever here of DOS? This is what it
is doing.

 

 

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Phill Hardstaff [mailto:phillh@xxxxxxx] 
Sent: Wednesday, November 19, 2003 1:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Nachi

 

http://www.ISAserver.org

Can anyone tell me why the Nachi worm brings my ISA firewall to it's knees,
I have ICMP disabled outgoing but as soon as I get a machine behind the
firewall with Nachi on it the firewall service goes to 100%, the server
looks like it's dead but it's not, disconnect the internal NIC and it comes
back to life straight way, even if I disable my DNS server (behind the
firewall) it still stays at 100%, so it's not ICMP and it's not DNS, so what
is it and more importantly how come ISA chokes on it so easily ?

I could understand ISA choking on 100 Nachi boxes on a 100Mb internal link
but yesterday I had 2 infected machines behind the firewall connected over a
128Kb link taking the firewall service to 100% ?? I have even turned off
logging and anything else that might use up CPU, still the same happens. I
am seriously considering changing firewalls.

Cheers 

Phill 

Phill Hardstaff 
MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc. 
Senior Support Engineer 
Secretariat of the Pacific Community 
B.P. D5 
Noumea Cedex - 98848 
New Caledonia 

Phone +687-260141 
Mobile +687 838091 
Fax +687-263818 
Email phillh@xxxxxxx 
SPC Web Page http://www.spc.int/ 
Personal Web Page http://www.hardstaff.com/ 
Personal Email Phill@xxxxxxxxxxxxx 
Personal Fax +1 (603) 299-5640 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003
  

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
phillh@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

Other related posts:

• » Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi

1. Home
2. isalist
3. Archive
4. 11-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---