From: Charles Church (cchurch@wamnet.com)
Date: Fri Aug 29 2003 - 08:34:46 GMT-3
Raj,
Can you make the interface to the PIX a routed port? Then enable ip
accounting on that. Otherwise, find or borrow a sniffer and span the port
going to the PIX. Or have everyone leave their PCs on overnight. After
everyone's left, look at switch interfaces and find the ones with relatively
high PPS over the 5 minute interval.
Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Rajagopal S
Sent: Friday, August 29, 2003 4:51 AM
To: Danny.Andaluz@triaton-na.com
Cc: ccielab@groupstudy.com
Subject: RE: NACHI !!!
HI Danny,
There are no routers before the PIX. We have only have L3 switches in which
we cannot enable ip accounting or ip cache flow on the vlan or trunk
interfaces.
Rolando - i'll check up the logs on the proxy server and see if it fetches
me with some useful info.
Cheers
Raj
Danny.Andaluz@triaton-na.com wrote:
Hi, Raj. What I was saying was to turn on accounting on the last router
that would reflect the original source before the traffic reaches the pix.
Check the diagram on the following link:
http://mywebpages.comcast.net/dannyandaluz/ipaccounting.jpg
Danny
-----Original Message-----
From: Rajagopal S [mailto:raj_ccie@yahoo.com]
Sent: Thursday, August 28, 2003 4:47 AM
To: Andaluz, Danilo, Triaton/NA; ccielab@groupstudy.com
Subject: RE: NACHI !!!
Hi Danny,
The PIX is sitting in between the router and the switch and doing a PAT. The
ip accounting on the router shows huge traffic from the PAT IP. This will
not reflect the original source.
I'll not be able to turn on ip accounting or cache flow on the VLAN
interfaces.
Cheers
Raj
Danny.Andaluz@triaton-na.com wrote:
Raj,
What do here to identify infected machines, is to turn on ip accounting on
the last internal router's outbound interface facing our firewall. If you
see many entries for one packet from one source and they are the same byte
count and they are sending to many different IP's, that machine is infected.
HTH,
Danny
-----Original Message-----
From: Rajagopal S [mailto:raj_ccie@yahoo.com]
Sent: Wednesday, August 27, 2003 10:30 AM
To: ccielab@groupstudy.com
Subject: NACHI !!!
Hi guys,
Nachi virus stroke my network. My router melted down after the attack.
As such, there are huge no of PC's sitting on the inside interface of the
firewall. the router having the internet link is sitting on the outside
interface of the firewall.
The internal users/servers are connected to the PIX via a 4507 internal L3
switch.
I have identified the traffic coming from inside to outside on port 0800
(icmp type 8 packet) from the patted IP to some arbitarty IPs on internet. I
have blocked icmp on PIX and stabilised the situation.
But I still am not sure, which hosts on the internal network is pushing this
traffic (ie affected with nachi). Am ready to put nachi patches in all the
500 odd machines, but is a bit tough !!!
Is there any way to find the machine pumping this traffic from the switch ?
am not able to enable ip route-cache flow or ip accounting on the vlan
interface nor able to enable MLS. Is there any other way to see this
information?
Cheers
Raj
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:10 GMT-3
