[unisog] Handling Code Red & Future Worms

Paul L Schmehl pauls at utdallas.edu
Mon Aug 6 18:58:56 GMT 2001


We have been working on the following plan:

1) All servers must be registered with IR, must be subject to constant 
scanning and must be properly maintained or they will be disconnected.
2) All registered servers reside on VLANs that we control the access to.
3) Unregistered servers reside anywhere else, and those VLANs don't have 
access to the Internet to provide services.  (E.g. incoming port 80 
requests won't be processed, etc.)

--On Monday, August 06, 2001 12:41 PM -0500 "E. Larry Lidz" 
<ellidz at eridu.uchicago.edu> wrote:

>
> When I left work on Friday, we have no machines on the network
> vulnerable to the bug that Code Red exploits. We also had blocks in
> place to prevent incoming web connections to our modem pool(s) and the
> large DHCP pools on campus (since such machines wouldn't have been
> caught by our preemptive scan for vulnerable machines).
>
> Yet over the weekend, I got paged over a half dozen times with machines
> that were installed over the weekend with insecure IIS servers. Our
> average uncompromised life expectancy (AULE, to coin an acronym) of a
> non-secured IIS machine is currently 61 minutes or so (down from about
> two days).
>
> Now, on an average day, we see 30-60 new machines appear on our network.
>
> Let's assume for a minute, and I think this is a safe assumption, that
> we're going to see more worms like CodeRed and CodeRedII. If this is the
> case, I think we can assume that the AULE of every unsecured OS is going
> to drop dramatically. Furthermore, we can expect more outgoing attacks
> (many compromises the intruder doesn't attack outward, yet I suspect
> most worms will attack outward).
>
> Currently, we only get notified of compromised machines over the weekend
> if they're attacking outward. If we find such a machine, we pull it
> from the network. If every machine that gets put up insecurely over the
> weekend is broken into and attacks outward in almost no time flat, we're
> going to be paged a lot more than we used to. Being paged is no fun.
>
> Assume, of course, that we can't educate everyone to prevent them from
> putting machines on the network until after they are secured (if we
> could have, we would have).
>
> So, my question is: anyone have any good ideas how to handle this, other
> than having staff around 7 days a week?
>
> -Larry
>
> ---
> E. Larry Lidz                                        Phone: (773)702-2208
> Sr. Network Security Officer                         Fax:   (773)702-0559
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml



Paul L. Schmehl, pauls at utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member



More information about the unisog mailing list