Re: Sonicwall Pro issues

From: wailakig (wailaki_at_batnet.com)
Date: 09/19/03 

Date: 18 Sep 2003 15:36:23 -0700

I heard that as of yesterday a new RPC exploit was posted on the net.
One that takes advantage of the last vulnerability announced by MS.

Is your SNWL DMZ configured with a rule that says:

allow default
source WAN
dest'n DMZ

If so, you need to lock it down.

Easiest way is to uncheck the default DMZ In column, on Access -
Services screen. Leaving others checked there (like HTTP and FTP)
should be OK provided you have properly managed IIS updates.

Another idea: reduce the network inactivity timeout setting on the
same page, and on any rule involved with your webserver. No more than
5 minutes on the latter.

robertbaratono@netscape.net (Robert Baratono) wrote in message news:<dd3a338c.0309172131.76ead7a1@posting.google.com>...
> danths@hotmail.com (sd) wrote in message news:<67e6ce25.0309171124.472f9e6@posting.google.com>...
> > Hello,
> > We have two very high traffic webservers in the DMZ created thru
> > Sonicwall Pro with firware 6.4.2. For the past couple of days the
> > connection cache fills up pretty quickly requiring the unit to be
> > power cycled, sometime I cannot even get into the mgmt. interface.
> > Sonicwall support has absolutely no clue on what's happenning and are
> > pointing to viruses with LAN/DMZ. We have been scanning all computers
> > ( servers /Wks ) with multiple virus scannng software but to no luck.
> > I have also seen quite a few posts regarding connections not clearing.
> > Is there a problem witrh our setup or is it with Sonicwall. How do I
> > find out the computer with multiple connections.
> >
> > Any help is greatly appreciated.
> >
> > Thx!
> > sameer
>
> Although you say that you've scanned all of your machines for viruses,
> you almost certainly have a Blaster-type infection (actually probably
> "Welchia") on one or more of the machines behind your Sonicwall.
>
> Welchia infections generate a -lot- of outgoing "ping" (ICMP 8)
> traffic as they try to infect every possible machine on the Internet
> (the pings are testing to find "live" hosts). This tends to rapidly
> fill the SPI connection cache, especially on the old "Pro" series
> Sonicwalls that don't have a lot of memory or CPU.
>
> In my case someone brought an old laptop into work that had gotten
> W32.Welchia over a dial-up connection at home. As soon as it was
> plugged into the network, it started filling the connection cache on
> my Sonicwall every 5-6 minutes and I noticed my internal network
> traffic was pegged at a much higher level than normal.
>
> My Sonicwall logs to a syslog server (which records -all- firewall
> activity, unlike the internal Sonicwall logging service) so it was
> just a matter of looking at the syslog logs to find the "guilty" IP
> address generating the continuous ICMP8 traffic, getting it's MAC
> address from the Sonicwall DHCP status page and then mucking around in
> my switch logs to find the port that the MAC address was connected to.
> All that remained was to go yell at somebody (and unplug 'em).
> Fortunately, all of the other machines on my network had been patched
> or it would have been a real mess...
>
> Be prepared for your logs to get -real big- real fast if you've got
> one of these little worms on your internal network. It's possible
> that it's some other problem on your network, but I know of at least
> two other Sonicwall users besides me that saw your exact symptoms with
> Welchia/Blaster infections on their networks.
>
> If you don't have a syslog server on your network, Google for "Kiwi
> Syslog Daemon". I believe that it's still free and it worked pretty
> well the last time that I tried it.
>
> Good luck,
> Bob

Relevant Pages

  • Re: Sonicwall Pro issues
    ... > Sonicwall Pro with firware 6.4.2. ... > connection cache fills up pretty quickly requiring the unit to be ... plugged into the network, it started filling the connection cache on ... If you don't have a syslog server on your network, ...
    (comp.security.firewalls)
  • ADSL Configuration in ISA 2004
    ... I have a multihomed server at home and an ADSL connection to the internet. ... My internal network has IP 192.168.0.x and the connection to the modem has ... Now I want to use ISA 2004. ...
    (microsoft.public.isa.enterprise)
  • Re: [opensuse] masquerade
    ... router address 192.168.1.1 eth1 is my internal network and is ... eth1 id connected via a crossover ethernet cable to ... 192.168.2.2 to share the internet connection. ...
    (SuSE)
  • Re: strange network problem
    ... >> This server has two network cards installed. ... >> When the server is up for a while, ... >> internal network is working fine. ... > connection is down and the exact occurence of the spookie thing:). ...
    (RedHat)
  • Re: Client cannot connect to internet
    ... Why not just plug the SBS server into the Linksys ... > are they not already connected on the same network? ... >> a connection the an Internal network on the SBS Server. ...
    (microsoft.public.windows.server.sbs)