RE: NACHI !!!

From: emad (emad@zakq8.com)
Date: Wed Aug 27 2003 - 13:54:48 GMT-3

• Next message: Jonathan V Hays: "RE: BGP Flapping routes"
• Previous message: Roberto Adjakou: "RE : OSPF over Frame Relay"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: Danny.Andaluz@triaton-na.com: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Folks,
I'm experiecing the same problem with my Internet router as it gave me
the following errors:

" Traceback= 8040B440 8040D3E0 80406FA4 80381250 8037EADC 8037E75C
803E9134 803E917C 803E4C80 803E4610 8037EDCC 8035FBB0 8036006C 80390A80
80390BA0 80380FB8 "

" '23:14:03: %SYS-2-NULLCHUNK: Memory requested from Null Chunk "

that were only examples of the error messages , and at the end the
router gives me low memory and the traffic went down , I think it is a
result of the virus problem , right?

As I noticed , you recommend only blocking the following:

Access-list 120 deny icmp any any 8

I only need this access-list to solve the problem?

Please help

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ashish Modi
Sent: Wednesday, August 27, 2003 7:32 PM
To: Kenneth Wygand; Rajagopal S; ccielab@groupstudy.com
Subject: RE: NACHI !!!

I had the same problem with this virus. I mirrored PIX
port and captured traffic for about 3 minutes. Did a
filter on ICMP 8 protocol. Saved the file as a CSV
file and did a sort for unique entries on Source
address. It gave me all the machine IPs that had the
virus on them.

--- Kenneth Wygand <KWygand@customonline.com> wrote:
> Where is your NAT (or PAT) being done? Check the
> NAT translation table
> at that point to determine what the actual (pre-NAT
> or pre-PAT) source
> IP address is thrashing your firewall.
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1,
> Network+, A+
> Custom Computer Specialists, Inc.
> "It's not just about ending up where you want to be,
> it's about making
> the most of the trip there."
> -Anonymous
>
> -----Original Message-----
> From: Rajagopal S [mailto:raj_ccie@yahoo.com]
> Sent: Wednesday, August 27, 2003 10:30 AM
> To: ccielab@groupstudy.com
> Subject: NACHI !!!
>
> Hi guys,
>
> Nachi virus stroke my network. My router melted down
> after the attack.
>
> As such, there are huge no of PC's sitting on the
> inside interface of
> the firewall. the router having the internet link is
> sitting on the
> outside interface of the firewall.
>
> The internal users/servers are connected to the PIX
> via a 4507 internal
> L3 switch.
>
> I have identified the traffic coming from inside to
> outside on port 0800
> (icmp type 8 packet) from the patted IP to some
> arbitarty IPs on
> internet. I have blocked icmp on PIX and stabilised
> the situation.
>
> But I still am not sure, which hosts on the internal
> network is pushing
> this traffic (ie affected with nachi). Am ready to
> put nachi patches in
> all the 500 odd machines,
> but is a bit tough !!!
>
> Is there any way to find the machine pumping this
> traffic from the
> switch ? am not able to enable ip route-cache flow
> or ip accounting on
> the vlan interface nor able to enable MLS. Is there
> any other way to see
> this information?
>
> Cheers
> Raj
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site
> design software
>
>
>

• Next message: Jonathan V Hays: "RE: BGP Flapping routes"
• Previous message: Roberto Adjakou: "RE : OSPF over Frame Relay"
• Maybe in reply to: Rajagopal S: "NACHI !!!"
• Next in thread: Danny.Andaluz@triaton-na.com: "RE: NACHI !!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:07 GMT-3