very urgent! Virus problems

oceanlan · May 17, 2005, 5:51pm

I am havinf serious problems with a worm of some kind..

It is killing my bandwidth and I tried blocking all the ports, but it is not working..

The problem is, I am seeing over a hundred established TCP connections to 207.46.198.60:80

That seems to be a microsoft web server…

What can I do to stop this?? Its really becoming a huge problem!!

It is only coming from one client, but that customer has 15 pc’s…that will take forever to “scan” them all, and..that wont cure my problem if someone else has the infection again!!

Thanks!!

andrewluck · May 17, 2005, 6:53pm

First of all, put a rule in the Forward chain that blocks access to this IP address. That’ll buy you some time.

Next, get the customer to scan his PCs. 15 PCs will really not take that long. If they’re not prepared to do that then you could consider throttling their connection to a very small transfer rate until they reconsider.

Regards

Andrew

oceanlan · May 17, 2005, 7:51pm

Hey Andrew, where do I put the forward? is it src or dst nat?

I tried putting a new filter rule in my virus block and it will only let me block 207.46.0.0/16…it will not allow me to specify the 207.46.199.60, 207.46.198.60, or 207.46.19.60 (all port 80)…

The guy will let me scan his units, but that key word of ME is the problem..I have lotsa other things to do…

Also, how can I keep this from affecting my other clients? They all seem to be getting slow connecitons b/c of this one office… I need some type of permanent solution for future growth…

Lastly, the timeout counter on my connections Tab has 90:28:03 and counting down, how do I force a timeout??

Let me know of any ideas!! Thanks!!

BTW: the blocking of 207.46.0.0/16 from 10.59.1.33 is working, its just not getting all the connections…

andrewluck · May 18, 2005, 7:41pm

/ip firewall rule forward

You’ll need separate rules for each IP address you want to drop.

Once you’re dropping this traffic then this will free your link for other more useful traffic.

I would suggest you revisit your Terms and Conditions. Problems with the customer’s computers (viruses, worms etc) should be the customer’s concern, not yours.

Longer term, you need to look at queues and traffic shaping / connection limiting.

Regards

Andrew