Subject: Re: Interesting discovery.
To: Herb Peyerl <email@example.com>
From: Harry Waddell <firstname.lastname@example.org>
Date: 08/23/2004 13:42:12
On Mon, 23 Aug 2004 14:23:56 -0600
Herb Peyerl <email@example.com> wrote:
> I just had a really bad morning/day trying to figure out why a
> firewall/router which had been up for 8+ months had suddenly decided to
> be unreliable. After having remote hands swap hardware and so forth,
> it was isolated to the OS which was 1.6.1... As soon as the thing hit
> multi-user, it would hang within a minute. nothing on the console
> except some 'tlp' underruns...
> Eventually I managed to get a 2.0 beta kernel onto it and then it would
> actually stay up... Strangely, this only started happening last night;
> with months of being a perfectly happy little computer.
> Shortly after the 2.0 kernel went on, and I untarred the rest of
> userland, is when I discovered the problem. Quite a number of hosts on
> the network were fishing through the address space on port 445 looking
> for, presumably, windows fileservers. Clearly a virus of some sort.
> After ipf'ing those hosts out of the way, everything is calm again. We
> were hitting some 30,000 ipnat MAP's and 2.0 was perfectly content to
> deal with them whereas 1.6.1 was decidedly less happy with the
I ran into similar problems in the past. I replaced an old intel
firewall/router, because it was seemingly unreliable, with a pc running netbsd
1.6.1. After a while, things started slowing down, at which point I found that
a virus was causing local machines to add about 200 nat associations/sec.
FWIW, 1.6.1 handles these sorts of problems with a lot more grace than a cheap
HW box. It's good to know that 2.0 is even better.
FYI, I have a cron entry on that router that counts the MAP entries and pages
me if the number is too high, since this is an indicator of virus activity.
Caravan Electronic Publishing