[unisog] Handling Code Red & Future Worms

Martin, James E. martin at more.net
Mon Aug 6 19:34:38 GMT 2001

Our AUP includes the following...

"It is not acceptable to use [the network] in a manner that intentionally or
negligently disrupts normal network use and service.  Such disruption would
include the intentional or negligent propagation of computer viruses, the
violation of personal privacy, and the unauthorized access to protected and
private network resources."

Devices and networks with a "history" of problems can be looked at for
possible organizational violations (i.e., failure to maintain leading to
repeated disruption of service). We also occasionally spot check networks
that have a history.  


James E. Martin        
University of Missouri System                    
MOREnet Network Security Coordinator                      

-----Original Message-----
From: Paul L Schmehl [mailto:pauls at utdallas.edu]
Sent: Monday, August 06, 2001 1:59 PM
To: E. Larry Lidz; unisog at sans.org
Subject: Re: [unisog] Handling Code Red & Future Worms

We have been working on the following plan:

1) All servers must be registered with IR, must be subject to constant 
scanning and must be properly maintained or they will be disconnected.
2) All registered servers reside on VLANs that we control the access to.
3) Unregistered servers reside anywhere else, and those VLANs don't have 
access to the Internet to provide services.  (E.g. incoming port 80 
requests won't be processed, etc.)

--On Monday, August 06, 2001 12:41 PM -0500 "E. Larry Lidz" 
<ellidz at eridu.uchicago.edu> wrote:

> When I left work on Friday, we have no machines on the network
> vulnerable to the bug that Code Red exploits. We also had blocks in
> place to prevent incoming web connections to our modem pool(s) and the
> large DHCP pools on campus (since such machines wouldn't have been
> caught by our preemptive scan for vulnerable machines).
> Yet over the weekend, I got paged over a half dozen times with machines
> that were installed over the weekend with insecure IIS servers. Our
> average uncompromised life expectancy (AULE, to coin an acronym) of a
> non-secured IIS machine is currently 61 minutes or so (down from about
> two days).
> Now, on an average day, we see 30-60 new machines appear on our network.
> Let's assume for a minute, and I think this is a safe assumption, that
> we're going to see more worms like CodeRed and CodeRedII. If this is the
> case, I think we can assume that the AULE of every unsecured OS is going
> to drop dramatically. Furthermore, we can expect more outgoing attacks
> (many compromises the intruder doesn't attack outward, yet I suspect
> most worms will attack outward).
> Currently, we only get notified of compromised machines over the weekend
> if they're attacking outward. If we find such a machine, we pull it
> from the network. If every machine that gets put up insecurely over the
> weekend is broken into and attacks outward in almost no time flat, we're
> going to be paged a lot more than we used to. Being paged is no fun.
> Assume, of course, that we can't educate everyone to prevent them from
> putting machines on the network until after they are secured (if we
> could have, we would have).
> So, my question is: anyone have any good ideas how to handle this, other
> than having staff around 7 days a week?
> -Larry
> ---
> E. Larry Lidz                                        Phone: (773)702-2208
> Sr. Network Security Officer                         Fax:   (773)702-0559
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

Paul L. Schmehl, pauls at utdallas.edu
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member

More information about the unisog mailing list