[ previous ] [ next ] [ threads ]
 
 From:  Mike <lists at southwestech dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] RE: Latest virus kills m0n0wall
 Date:  Sat, 11 Aug 2007 22:27:13 -0600
Jason Collins wrote:
> What about removing the allow all outbound rule and permitting only
> http, https, etc....  I try to do that for most of my corporate clients
> when they will let me for just such a circumstance.  Management might
> not want to keep things that way, but it might do for the week or two of
> high activity.  
> 

I hate to piggy-back this, but I think that may be the quick fix for 
now, at least until you identify this virus and an acceptable way to 
kill it.
I use the mono's in a number of hotels as well, and it got to the point 
where I found I had to deny all and only open up the necessary ports for 
common traffic due to virus issues, P2P, and nasty letters from the 
ISP's regarding uploading movies/ music, etc. The hotel management, when 
presented with the fact that this would alleviate the problems like 
this, as well as the bandwidth consumption, were very accepting. The 
hotels had the free access as a courtesy, not a right, and it should be 
used for access for business, email, and such. If the request came in to 
allow traffic for a particular game or whatever, then it was granted. 
They were almost ALWAYS going over the cap the ISP had, and were paying 
more than they should. Ever since then, I have had no troubles with the 
hotels save for the odd failed component. After a while, the guests did 
not complain, and the management was extremely happy and wanted me to 
leave it that way.
Whether this will actually help in your case, I cannot say. I would 
wonder if the m0n0 would eventually succumb to the constant battery of 
the traffic being blocked. I haven't come up against this yet, so 
someone more experienced with the underlying code might be able to 
answer that.

On a side note, would it be possible for you to post some form of log? I 
would be curious to see what ports, and the destination addresses that 
this virus is using. Usually, this will lead you to the culprit, and may 
tell you to block a particular address(es). You have the beginnings of 
an attack signature, so we could start from there. The reason I ask is 
that I have yet to encounter such a creature, however if it is attacking 
a number of your hotels, then it may be something to prepare for. It 
seems strange that it would be striking your hotels like this on such a 
large scale. If it's something we can identify, maybe we can help as a 
collective.


Mike