Handling Code Red & Future Worms
E. Larry Lidz
ellidz at eridu.uchicago.edu
Mon Aug 6 17:41:02 GMT 2001
When I left work on Friday, we have no machines on the network
vulnerable to the bug that Code Red exploits. We also had blocks in
place to prevent incoming web connections to our modem pool(s) and the
large DHCP pools on campus (since such machines wouldn't have been
caught by our preemptive scan for vulnerable machines).
Yet over the weekend, I got paged over a half dozen times with machines
that were installed over the weekend with insecure IIS servers. Our
average uncompromised life expectancy (AULE, to coin an acronym) of a
non-secured IIS machine is currently 61 minutes or so (down from about
Now, on an average day, we see 30-60 new machines appear on our network.
Let's assume for a minute, and I think this is a safe assumption, that
we're going to see more worms like CodeRed and CodeRedII. If this is the
case, I think we can assume that the AULE of every unsecured OS is going
to drop dramatically. Furthermore, we can expect more outgoing attacks
(many compromises the intruder doesn't attack outward, yet I suspect
most worms will attack outward).
Currently, we only get notified of compromised machines over the weekend
if they're attacking outward. If we find such a machine, we pull it
from the network. If every machine that gets put up insecurely over the
weekend is broken into and attacks outward in almost no time flat, we're
going to be paged a lot more than we used to. Being paged is no fun.
Assume, of course, that we can't educate everyone to prevent them from
putting machines on the network until after they are secured (if we
could have, we would have).
So, my question is: anyone have any good ideas how to handle this, other
than having staff around 7 days a week?
E. Larry Lidz Phone: (773)702-2208
Sr. Network Security Officer Fax: (773)702-0559
Network Security Center, The University of Chicago
More information about the unisog