Karlnet
[Top] [All Lists]

RE: [Karlnet] Syn packets causing lock ups,... a novel by KSM.

To: "'Karlnet Mailing List'" <karlnet@WISPNotes.com>
Subject: RE: [Karlnet] Syn packets causing lock ups,... a novel by KSM.
From: Travis Lists <travis-lists@netwaveinternet.com>
Reply-to: travis-lists@netwaveinternet.com,Karlnet Mailing List <karlnet@WISPNotes.com>
Date: Wed, 17 Dec 2003 09:01:39 -0500
List-post: <mailto:karlnet@WISPNotes.com>
We actually had this issue with a customer (apartment complex) that had
multiple virii on site. We put in a D-link DSL router between them and
our CPE and turned on the ICMP filter.

It fixed THAT particular virus issue (Blaster-type).

But now we've seen system-wide simultaneous lockups of Orinoco RG's on a
fully routed network. Karlnet has suggested upgrades to 4.44 all around,
which I've done, as well as some serious firewalling. No more lockups so
far, but time will tell.

Do you the lock-up issue as well, or just the flood of ARP's killing
your CPE/AP?

Travis
-- 
================================ 
  M. Travis Brown, MCSE 
  Network Systems Engineer 
  NetWave Internet 
  434.386.0656 
  travis@netwaveinternet.com 
================================ 


-----Original Message-----
From: karlnet-bounces@WISPNotes.com
[mailto:karlnet-bounces@WISPNotes.com] On Behalf Of KSM
Sent: Tuesday, December 16, 2003 10:16 PM
To: karlnet@WISPNotes.com
Subject: [Karlnet] Syn packets causing lock ups,... a novel by KSM.


I know this is a moot point as far as some networking is concerned, but
I will put it out there anyways, if only to hear you all's thoughts. 

        My network is 100% Lucent hardware with varrying versions of the
firmware instilled in each unit. (I am holding out till we have the
financial backing to upgrade the ones that aren't already Karlnet..) It
is also a bridged network, with reason. (see below)

        I am currently having to remove customers (temporarily) who get
virii on their computer, in particular ones that scan (SYN, etc.)  My
"guess" is that the amount of packets per second with a virus that scans
subnet classes (& ports) to find hosts is greater than what the hardware
can handle, and it makes the unit practically unreachable to remove the
MAC of the unfortunate victim.  I have a decent system for response and
triage, but have been curious as to what else can be done.  It has a
tendency to bring negative feelings towards my company as an ISP when
the network has these moments, and I don't like having to call customers
and deny them service due to what is a common problem in today's world.

        My thoughts are to 
1. Instill some kind of pre network virus software.  We do not at the
moment simply due to the overhead our gateway deals with for what it's
responsibilities are, and I am in the process of redesigning and
improving the set-up.  It is directly proportional to how fast my Linux
skills are improving. :) (including instilling Cacti to monitor my
links, as it has Karlnet SNMP and MIBs built in!)

2.  (since above alone cannot be 100% efficient... nothing is)
      Upgrade to the latest Karlnet release which had firewalling built
in.  But this is where (finally) my questions come to light:

        Does it keep the unit from being stoned if it is blocking the
ports, or does it meerly keep the units post it's heirarchy in the
network from also getting bitten?  My thoughts say that if it even
filters the port, it has to respond, say with a RST, which means it will
be consumed anyways (probably even more so).

        My network is bridging (as of moment), mainly due to it's
original design.  I am aware that instilling "cloud" networks NATed on
the end would eliminate alot of network wide issues, but (see above) am
currently in the process of dealing with how this interaction would
break our network and what it it's limitations are, (including
insitilling radius to keep my authentication central, which is an
integral part to our current network architecture.)  I have yet to have
a huge amount of luck with Karlnet Config being able to scan across
subnets, and like the visiblity and control of a bridges system as well.
this IS wireless :0

        Since I am an ISP, port filtering is something I try to avoid to
keep my customers options open, and keep the "pipe" as intact as
possible, (although our firewall is blocking "some" known evil ports.)
Anyone else share this opinion?

        As you can tell, I am quite long winded, but always appreciate
the chance to share my thoughts with the community.  Any feedback or
otherwise is appreciated.

Thanks in advance!

Scott

                 

_______________________________________________
Karlnet mailing list
Karlnet@WISPNotes.com
http://lists.wispnotes.com/mailman/listinfo/karlnet

_______________________________________________
Karlnet mailing list
Karlnet@WISPNotes.com
http://lists.wispnotes.com/mailman/listinfo/karlnet

<Prev in Thread] Current Thread [Next in Thread>