Subject: Re: Interesting discovery.
To: Herb Peyerl <hpeyerl@beer.org>
From: Harry Waddell <waddell@caravan.com>
List: current-users
Date: 08/23/2004 13:42:12
On Mon, 23 Aug 2004 14:23:56 -0600
Herb Peyerl <hpeyerl@beer.org> wrote:

> I just had a really bad morning/day trying to figure out why a 
> firewall/router which had been up for 8+ months had suddenly decided to 
> be unreliable.  After having remote hands swap hardware and so forth, 
> it was isolated to the OS which was 1.6.1... As soon as the thing hit 
> multi-user, it would hang within a minute. nothing on the console 
> except some 'tlp' underruns...
> 
> Eventually I managed to get a 2.0 beta kernel onto it and then it would 
> actually stay up... Strangely, this only started happening last night; 
> with months of being a perfectly happy little computer.
> 
> Shortly after the 2.0 kernel went on, and I untarred the rest of 
> userland, is when I discovered the problem.  Quite a number of hosts on 
> the network were fishing through the address space on port 445 looking 
> for, presumably, windows fileservers.  Clearly a virus of some sort.  
> After ipf'ing those hosts out of the way, everything is calm again.  We 
> were hitting some 30,000 ipnat MAP's and 2.0 was perfectly content to 
> deal with them whereas 1.6.1 was decidedly less happy with the 
> prospect..

I ran into similar problems in the past. I replaced an old intel
firewall/router, because it was seemingly unreliable, with a pc running netbsd
1.6.1. After a while, things started slowing down, at which point I found that 
a virus was causing local machines to add about 200 nat associations/sec.
FWIW, 1.6.1 handles these sorts of problems with a lot more grace than a cheap
HW box. It's good to know that 2.0 is even better.

FYI, I have a cron entry on that router that counts the MAP entries and pages
me if the number is too high, since this is an indicator of virus activity.

-- 
Harry Waddell
Caravan Electronic Publishing
-----------