counting down to midnight
r.fulton at auckland.ac.nz
Fri Aug 15 03:55:33 GMT 2003
We have had a busy morning getting ready to cope with the expected DOS
from Blaster. This email to our computer support staff outlines what we
We are pursuing 4 strategies to mitigate the effect of the
1. Continue working on getting infected machines cleaned and
patched (this is the most important process!).
2. We are currently putting access lists sector switches that block
and traffic to the IP addresses used by windowsupdate.com.
3. We are also filtering outbound traffic that does not have
188.8.131.52/16 source addresses.
4. We have 'poisoned' our DNS so than any attempts to resolve
windowsupdate.com will resolve to 127.0.0.1 i.e. the loop back
WE are now down to around 10 infected machines and hope to have most of
those off the net by end of day. Also we seem to have stopped the
trickle of new infections so hopefully the SYN Flood will be more of a
SYN trickle. To be on the safe side we are filtering traffic onto our
backbone so even if more infected machines do appear any problems will
be contained and the DOS traffic will be kept off the backbone.
On Monday we will review how things are going and probably drop some of
the filters or the DNS poisoning. I'm inclined to leave the local
source address filter as such traffic is always bad ;-)
I'll check things in the small hours tomorrow morning to see if all is
ok and I will drop a note to the list in there is anything note worthy
<whinge> why do we have to be first all the time! </whinge> ;-)
More worrying is the number of systems that are still showing as
unpatched. These are presumably NT boxes that are not affected by the
current worm. I'm worried that now the worm crisis is 'over' that I
will have difficulty maintaining the momentum of the patching campaign.
Does anyone know how easy or otherwise it is to modify the worm to work
with NT? Is it just a matter of fiddling the offsets with a hex editor?
Russell Fulton, Network Security Officer, The University of Auckland,
More information about the unisog