Help needed with constant DNS requests/overload

We're having trouble with too many DNS requests overloading our Win 2k NAT (Network Address Translation) server and causing it to crash. Up until about 2 weeks ago everything was working fine.

We've used some port monitoring software on our NAT server which shows the traffic coming to it via our Windows 2k domain controller. We've also monitored our Win 2k domain controller which shows the traffic coming to it via our Win XP workstations.

It's coming from the workstations, to our Win 2k domain controller/dns server and then over to our Win 2k NAT server. The domain controller passes it to the NAT server via the default gateway - and it passes it because it can't resolve the name itself (and internet name (www)).

We've tried eliminating the NAT server by using an ADSL/Broadband router instead but still the traffic continues. It's bringing our net connection to a complete standstill.

Any help would be massively appreciated. We live in hope!!

Cheers in advance for this one.

 

Mark

Need more info BUT! This sounds like a DOS attack. You said this seems (are you positive) to come from the inside.

Don't make the mistake of thinking a DOS always comes from the outside.

I don't mean you think so, but are you absolutly positive your Server and workstations are clear of Viri and spy/adware. If you need I can make suggestions and give links here.

Are "all" service packs up to date on "all" stations and server? And specifically the Mblsater family fixes?

Did you get hit on any station on the system with mblaster or any other damaging virus recently?

When did this begin?

Do you have a baseline of normalcy before the flood?

You did not give any indication as to the size of your network. How many servers, primary use? Special applications? Host a website? Mixture of 98, 2k Xp workstations?

I suggest you take the entire system down. If you have multiple switchs or hubs then power these down to eliminate entire segments.

Then bring up the server alone and use your sniffer, then bring the workstations on 1 at a time checking again with the sniffer at each step.

If you do have multiple switches/hubs/routers you may can pin point a group to concentrate on by turning these on one at a time.

You may have some troublesome computers/users. Especially those that were hit by a Virus lately. And those users that tend to be "adventuesome" I would bring these up first?

The above may not be easy or convienent but you never indicated the size.

I am off work today but will be in and out. I will keep a check for responses from you.

Please don't skip answering "any" questions above!

Mike

 

And yes keep it to one thread! THIS ONE!

Mike

 

We've cracked it!

It was the NACHI virus (a variant of the Blaster worm) - details here:- http://www.sophos.com/virusinfo/analyses/w32nachia.html

We used the tools from the sophos website and the associated Microsoft patches and all seems to be ok now. the sniffer proggy isn't picking up and rougue/constant packets and the lights on our ADSL box are back to normal.

One thing I would say, and invite comments on are that the anti-virus software we use (sophos) didn't automatically pick the nachi virus up - we had to manually run the software AND run the sophos patch to remove the nachi virus. still, in the end we've sorted it - and hopefully we've sorted it for good!

if anyone wants any further info - symptoms etc then let me know


cheers for your responses!

 

Really about what I thought you would find. A blaster derivitive or some other virus.

The reason that the Virus scanner may have missed it is that it uses a MS vulnerability (exploit) to basicly come in the side door past the Scanner.

Make sure you get the MS patch on all of your 2k and Xp stations. Additionally all Virus scanners should be updated and run on all stations as this is a network aware bug. Skip this step at your own peril! It could end up on all!

Most Virus scanners are now looking for this but at the time it came in, perhaps many days ago maybe the dat files from Sophos were not ready at that time or they had not been updated, and probably needed a full scan to detect after the fact.

Mike

 

Nice catch Mike.

 

Thanks Newt!

I git one rite ever once in a whilst!

Mike