[unisog] UConn's Residential Network Beat the Worms

Marc Jimenez mjimenez at net.tufts.edu
Tue Aug 26 21:33:39 GMT 2003

Hi Dave,
	We had our first batch of 400 students move in yesterday. We saw a
mean time to infection of 20 seconds. That was almost entirely
cross-infection from machines on the same subnet, or within our ResNet.
	We put in L3 ACLs on our 3550 switchports to limit port 135 and 69
inbound, while blocking port 135 and 69 outbound from the router. This has
seemed to put a stop to the cross-infections, without stopping student
machines from otherwise communicating with one another, and without
driving the router CPU through the roof.
	We also put rules in those same switchport ACLs to stop machines
on our registration and restricted networks from cross-communicating, and
to stop rogue DHCP servers.


Marc Jimenez
Network Engineering
Tufts University

"Read all instructions before applying adhesive."
-Large Print on Lid of Bucket; words to live by.

"Diplomacy" is saying "nice doggy" until you can find a big rock.

On Tue, 26 Aug 2003 carr at caustic.nsg.nwu.edu wrote:

> Phil.Rodrigues at uconn.edu writes:
> >
> > Hi all,
> >
> > >From August 21-24, 2003 we had 11,500 students return to the residence
> > halls.  9,100 students registered their computers through NetReg and
> > successfully connected to the campus network and the Internet, mostly on
> > Saturday and Sunday.  We automatically scanned and identified 2,500 (27%)
> > of those computers as vulnerable and redirected them to a page where they
> > downloaded and installed the patch.  That is 2,500 computers that were
> > patched without staff intervention, and that were not infected with the
> > worm, and that did not generate a support phone-call or visit.
> 	Phil, do you have any measure of hosts within the same broadcast
> domain infecting each other?  We still have a little time before our
> students come to campus and are considering using the Cisco Private VLAN
> protected port feature of the switches. The feature stops two hosts on
> the same LAN from talking directly to each other. We can then put
> VACLS on the router interfaces to limit the hosts from infecting each other.
> 	Has anyone else done this?
> Dave

More information about the unisog mailing list