netcurmudgeon (netcurmudgeon) wrote,

  • Mood:
  • Music:

Ah Monday...

At around noon today one of our firewalls (a Cisco PIX that handles all of the school and library Internet traffic) crashed. Well, not really crashed per se, but it stopped forwarding traffic and had to be restarted. The culprit? Same as the north-end router last week: an overload of traffic from PCs infected with the SdBot worm. Or so I thought.

After getting the PIX restarted, I took a look at the firewall log file (the PIX sends its log entries via syslog to one of my Linux servers). We had captured 1.3GB of log by 12:30. Of that, 1 GB was log entries from the firewall denying access to the Internet by worm-infected PCs. I copied a Perl script that I use for analyzing firewall logs, and dropped in new code to pick out the IP addresses of denied PCs and count up the number of times they were denied. Then I pointed it at the firewall log and said "sic 'em!"

I expected to get a list of twenty to a hundred infected PCs. The script ground through 6,674,944 lines of log, and fingered three machines. Yes, three PCs. On examination of the output file, one (yes one) PC was responsible for 6,674,266 hits. The other two counted only 678 hits between them and probably aren't infected.

I am both relieved and troubled. Relieved in that one PC in a small elementary school is a lot easier to find and clean than scores of PCs all over the city. And troubled in that a lone PC was able to generate enough traffic to flatten the PIX. I feel somewhat like the little Dutch boy running around plugging holes in the dyke. Tomorrow, more surveillance. Perhaps, if I can keep an eye on the log file, I can nab any infected PCs before they crash my firewall.

  • Saved by the Dell

    In the past couple of years Dell made sealed keyboards standard on the Latitude line. This makes them very spill resistant, as I discovered last…

  • Geeking along...

    Poking at several free-ware / share-ware network mapping tools tonight. CartoReso is a loss LanTopolog is at a loss with large switches and ring…

  • Progress, progress...

    Found some time today to get SpamAssassin installed on my new mail server. I did a totally default install, so we'll see what sort of tuning I have…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.