[unisog] UConn's Residential Network Beat the Worms

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Tue Aug 26 15:39:57 GMT 2003


A couple people have asked me this privately.  I guess it is a concern. 
:-)

All I really know is this:

9444 computers registered
2482 patches given to computers with NetReg IPs
0423 computers currently infected with Welchia

I also know two things: computers were infected at home and brought into 
this network infected, and computers were infected across the private 
NetReg networks per complex.  I just don't know how many.

I do know that "computers will all get infected through the NetReg LAN" is 
not true.  We scanned 26% of them as vulnerable, and they would not have 
been vulnerable if they had already been infected by Welchia.  We did see 
the numbers of infected hosts rise over time, but that could have been 
from more computers being carried into the network.  It certainly did not 
rise as fast as we would expect to see in a wide spread infection.

What we also saw was generally a 1:1 ratio of infected hosts in the 
private network to infected hosts in the public network.  If there were 15 
infected host on the private network and 5 infected hosts on the public 
network, later in the day we would see 2 infected hosts on the private 
network and 18 on the public network.  The public network are 99% immune 
to the worm, so once hosts went there the infections stopped spreading.
 
I would definitely recommend segmenting off ports into private networks if 
possible.  Does that give you the ability to filter out ICMP or TFTP per 
port?  Darn, wish we could do that!

Phil

PS - I am an amateur network statistician at best.  If someone has grave 
concerns with these statements or assumptions feel free to shoot me a 
note!

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





carr at caustic.nsg.nwu.edu
08/26/2003 08:22 AM
Please respond to d-carr

 
        To:     Phil.Rodrigues at uconn.edu
        cc: 
        Subject:        Re: [unisog] UConn's Residential Network Beat the Worms


Phil.Rodrigues at uconn.edu writes:
> 
> Hi all,
> 
> >From August 21-24, 2003 we had 11,500 students return to the residence 
> halls.  9,100 students registered their computers through NetReg and 
> successfully connected to the campus network and the Internet, mostly on 

> Saturday and Sunday.  We automatically scanned and identified 2,500 
(27%) 
> of those computers as vulnerable and redirected them to a page where 
they 
> downloaded and installed the patch.  That is 2,500 computers that were 
> patched without staff intervention, and that were not infected with the 
> worm, and that did not generate a support phone-call or visit.


                 Phil, do you have any measure of hosts within the same 
broadcast
domain infecting each other?  We still have a little time before our
students come to campus and are considering using the Cisco Private VLAN 
protected port feature of the switches. The feature stops two hosts on
the same LAN from talking directly to each other. We can then put
VACLS on the router interfaces to limit the hosts from infecting each 
other.

                 Has anyone else done this?

Dave








More information about the unisog mailing list