Gb ethernet interface keeping dropping packet in ingress
Jeff Kell
jeff-kell at utc.edu
Tue Sep 14 04:14:26 UTC 2004
Joe Johnson wrote:
>Now, we do try to monitor some things like that. We have several crons
>running checking the number of entries in the arp tables of our CPE
>devices at customer locations, as well as several crons dedicated to
>specific tell-tale signs of various worms and virii.
>
>
Our list of crons is growing too...
>One that helped out a lot recently was Nachi/Welchia search. Caught 40%
>of our subscribers that were infected, and helped stop all but 3
>specific broadcast storms on our network. All the cron did was look for
>the specific ICMP packet that the virus put out, and flagged the
>connection in a list that is emailed to the NOC s
>
We do the Nachi/Blaster 445 and ICMP pings with a route policy map on
our core so as not to disturb the PIX with senseless traffic. We do at
least catch the random Nachi probles (which are local), didn't work so
sell with machines destined off the local subnet.
We do extensive ingress/egress filtering at the border that catches most
junk from getting in our out. We're in the process of intergrating this
into our Perfigo system, but we've only had the Perfigo solution in
place for a few months. It has helped by logically micro-managing each
station on their own logical /30 subnet that makes them up, but
virii/worms that don't care about gateways and so forth aren't really
stopped if they catch a 0-day, very few viruses make meaningful IP
address guessing (they'll nail thhe local ranges first, but some go
off-campus). This is hopefully caught by a script under developent that
uses ipaudit (sourceforge.net) and keeps the top 10 traffic sources
inbound/outbound, and cumulative counts each 30 minutes for how many
local/hosts appear to be scanning, and likewise for the reverse.
We used to shut these ports down, but now we're having Perfigo lock them
into a "quarantine" LAN where their situation is explained, and has
hooks to our SUS and antivirus tools (AdAware, Spybot) with contact
numbers for the helpdesk if they need assistannce.
So far, so good, but could be better.
Jeff
More information about the NANOG
mailing list