Hi list
This might be a bit offtopic since there's nothing debian specific about the problem I'm having. If you feel this has no place on this list please point me to a more appropriate list for this question.
Starting last week I noticed random network outages on the lan I'm administering. There are 5 debian servers for some 100 windows workstations. The network topology is pretty straight-forward with two gateways to the internet and an affiliated site respectively. Now what happens is this: There's a worm or virus on some of the windows machines that uses tcp port 135 to distribute itself. Infected machines systematically scan neighbouring networks at a rate of a few hundred connection attempts/s for machines listening on port 135. Oddly enough the local scanners (Norton Antivirus) don't find anything. But this mail is not about what to do with the windows machines but rather what to do on the firewall. Obviously port 135 is closed in both directions. However, I get the message "Neighbour table overflow" on the firewall (debian stable w/ kernel 2.4.27) and the entire network comes to a standstill. The cpu load isn't even close to a worrying level so I guess there are plenty of resources left and still I can't make any network connection through the firewall when there's an infected machine plugged in to the network. The arp cache overflow happens even though I just drop packets in the iptables FORWARD chain. So I set up a transparent bridge between the firewall and the lan and tried filtering ethernet frames using ebtables from the infected machines. This did work and the arp cache overflow on the firewall no longer happened but still the network was pretty much useless and connections to any server outside of the lan are extremely slow and unreliable.
Should it really be possible for a single infected windows machine to dos a linux firewall? Please tell me it's not true and there's just something I'm overlooking. I'm at my wits end here and don't even know what to try next. So any pointers are much appreciated.
Thanks, Ben
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
