After getting the PIX restarted, I took a look at the firewall log file (the PIX sends its log entries via syslog to one of my Linux servers). We had captured 1.3GB of log by 12:30. Of that, 1 GB was log entries from the firewall denying access to the Internet by worm-infected PCs. I copied a Perl script that I use for analyzing firewall logs, and dropped in new code to pick out the IP addresses of denied PCs and count up the number of times they were denied. Then I pointed it at the firewall log and said "sic 'em!"
I expected to get a list of twenty to a hundred infected PCs. The script ground through 6,674,944 lines of log, and fingered three machines. Yes, three PCs. On examination of the output file, one (yes one) PC was responsible for 6,674,266 hits. The other two counted only 678 hits between them and probably aren't infected.
I am both relieved and troubled. Relieved in that one PC in a small elementary school is a lot easier to find and clean than scores of PCs all over the city. And troubled in that a lone PC was able to generate enough traffic to flatten the PIX. I feel somewhat like the little Dutch boy running around plugging holes in the dyke. Tomorrow, more surveillance. Perhaps, if I can keep an eye on the log file, I can nab any infected PCs before they crash my firewall.