[unisog] UConn's Residential Network Beat the Worms
Phil.Rodrigues at uconn.edu
Phil.Rodrigues at uconn.edu
Tue Aug 26 15:39:57 GMT 2003
A couple people have asked me this privately. I guess it is a concern.
All I really know is this:
9444 computers registered
2482 patches given to computers with NetReg IPs
0423 computers currently infected with Welchia
I also know two things: computers were infected at home and brought into
this network infected, and computers were infected across the private
NetReg networks per complex. I just don't know how many.
I do know that "computers will all get infected through the NetReg LAN" is
not true. We scanned 26% of them as vulnerable, and they would not have
been vulnerable if they had already been infected by Welchia. We did see
the numbers of infected hosts rise over time, but that could have been
from more computers being carried into the network. It certainly did not
rise as fast as we would expect to see in a wide spread infection.
What we also saw was generally a 1:1 ratio of infected hosts in the
private network to infected hosts in the public network. If there were 15
infected host on the private network and 5 infected hosts on the public
network, later in the day we would see 2 infected hosts on the private
network and 18 on the public network. The public network are 99% immune
to the worm, so once hosts went there the infections stopped spreading.
I would definitely recommend segmenting off ports into private networks if
possible. Does that give you the ability to filter out ICMP or TFTP per
port? Darn, wish we could do that!
PS - I am an amateur network statistician at best. If someone has grave
concerns with these statements or assumptions feel free to shoot me a
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut
email: phil.rodrigues at uconn.edu
carr at caustic.nsg.nwu.edu
08/26/2003 08:22 AM
Please respond to d-carr
To: Phil.Rodrigues at uconn.edu
Subject: Re: [unisog] UConn's Residential Network Beat the Worms
Phil.Rodrigues at uconn.edu writes:
> Hi all,
> >From August 21-24, 2003 we had 11,500 students return to the residence
> halls. 9,100 students registered their computers through NetReg and
> successfully connected to the campus network and the Internet, mostly on
> Saturday and Sunday. We automatically scanned and identified 2,500
> of those computers as vulnerable and redirected them to a page where
> downloaded and installed the patch. That is 2,500 computers that were
> patched without staff intervention, and that were not infected with the
> worm, and that did not generate a support phone-call or visit.
Phil, do you have any measure of hosts within the same
domain infecting each other? We still have a little time before our
students come to campus and are considering using the Cisco Private VLAN
protected port feature of the switches. The feature stops two hosts on
the same LAN from talking directly to each other. We can then put
VACLS on the router interfaces to limit the hosts from infecting each
Has anyone else done this?
More information about the unisog