counting down to midnight

Russell Fulton r.fulton at auckland.ac.nz
Fri Aug 15 03:55:33 GMT 2003


We have had a busy morning getting ready to cope with the expected DOS
from Blaster.  This email to our computer support staff outlines what we
are doing...

<quote>
Hi All,
        We are pursuing 4 strategies to mitigate the effect of the
expected DoS:
     1. Continue working on getting infected machines cleaned and
        patched (this is the most important process!).
     2. We are currently putting access lists sector switches that block
        and traffic to the IP addresses used by windowsupdate.com.
     3. We are also filtering outbound traffic that does not have
        130.216.0.0/16 source addresses.
     4. We have 'poisoned' our DNS so than any attempts to resolve
        windowsupdate.com will resolve to 127.0.0.1 i.e. the loop back
        interface.
</quote>

WE are now down to around 10 infected machines and hope to have most of
those off the net by end of day.  Also we seem to have stopped the
trickle of new infections so hopefully the SYN Flood will be more of a
SYN trickle.  To be on the safe side we are filtering traffic onto our
backbone so even if more infected machines do appear any problems will
be contained and the DOS traffic will be kept off the backbone.

On Monday we will review how things are going and probably drop some of
the filters or the DNS poisoning.  I'm inclined to leave the local
source address filter as such traffic is always bad ;-)

I'll check things in the small hours tomorrow morning to see if all is
ok and I will drop a note to the list in there is anything note worthy
to report.

<whinge>  why do we have to be first all the time! </whinge>  ;-)

More worrying is the number of systems that are still showing as
unpatched.  These are presumably NT boxes that are not affected by the
current worm.  I'm worried that now the worm crisis is 'over' that I
will have difficulty maintaining the momentum of the patching campaign.

Does anyone know how easy or otherwise it is to modify the worm to work
with NT?  Is it just a matter of fiddling the offsets with a hex editor?

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list