[unisog] UConn's Residential Network Beat the Worms

Asadoorian, Paul D Paul_Asadoorian at brown.edu
Wed Aug 27 16:52:45 GMT 2003


You can put a VACL  on your layer 2 cisco switches, here's the one we
are using (currently on our 4500's):

You need to first create an ACL (reversing the deny's and permits):

ip access-list extended Blaster-Block
 permit icmp any any log-input
 permit udp any any eq tftp log-input
 permit tcp any any eq 445 log-input
 permit udp any any eq 445 log-input
 permit tcp any any eq 593 log-input
 permit udp any any eq 593 log-input
 permit tcp any any eq 4444 log-input
 deny   ip any host <IP OF NETREG SERVER>
 deny   ip host <IP OF NETREG SERVER> any
 permit tcp any any range 135 139 log-input
 permit udp any any range 135 netbios-ss log-input

Then create a VLAN Map (Second one is very important, it allows all
other traffic):

vlan access-map Blaster-Block 10
 action drop
 match ip address Blaster-Block
vlan access-map Blaster-Block 20
 action forward

Then create a vlan filter and apply it to all the VLANs on the switch
(or just certain ones if you wish)

vlan filter Blaster-Block vlan-list <LIST OF VLANS>

If we had CiscoWorks figured out a little better we'd be pushing this to
all 300 of our 3550's, maybe next semester :-)  We also integrated
Uconn's mods into our NetReg System (THANK YOU to Phil and his team!)
and have ~800 users registered with ~95 infections (Our systems team got
Uconn's stuff implemented this morning, and students have been trickling
in all week).

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com 

-----Original Message-----
From: Marc Jimenez [mailto:mjimenez at net.tufts.edu] 
Sent: Tuesday, August 26, 2003 5:34 PM
To: d-carr at northwestern.edu
Cc: Phil.Rodrigues at uconn.edu; unisog at sans.org
Subject: Re: [unisog] UConn's Residential Network Beat the Worms

Hi Dave,
	We had our first batch of 400 students move in yesterday. We saw
a mean time to infection of 20 seconds. That was almost entirely
cross-infection from machines on the same subnet, or within our ResNet.
	We put in L3 ACLs on our 3550 switchports to limit port 135 and
69 inbound, while blocking port 135 and 69 outbound from the router.
This has seemed to put a stop to the cross-infections, without stopping
student machines from otherwise communicating with one another, and
without driving the router CPU through the roof.
	We also put rules in those same switchport ACLs to stop machines
on our registration and restricted networks from cross-communicating,
and to stop rogue DHCP servers.


Marc Jimenez
Network Engineering
Tufts University

"Read all instructions before applying adhesive."
-Large Print on Lid of Bucket; words to live by.

"Diplomacy" is saying "nice doggy" until you can find a big rock.

On Tue, 26 Aug 2003 carr at caustic.nsg.nwu.edu wrote:

> Phil.Rodrigues at uconn.edu writes:
> >
> > Hi all,
> >
> > >From August 21-24, 2003 we had 11,500 students return to the 
> > >residence
> > halls.  9,100 students registered their computers through NetReg and

> > successfully connected to the campus network and the Internet, 
> > mostly on Saturday and Sunday.  We automatically scanned and 
> > identified 2,500 (27%) of those computers as vulnerable and 
> > redirected them to a page where they downloaded and installed the 
> > patch.  That is 2,500 computers that were patched without staff 
> > intervention, and that were not infected with the worm, and that did

> > not generate a support phone-call or visit.
> 	Phil, do you have any measure of hosts within the same broadcast

> domain infecting each other?  We still have a little time before our 
> students come to campus and are considering using the Cisco Private 
> VLAN protected port feature of the switches. The feature stops two 
> hosts on the same LAN from talking directly to each other. We can then

> put VACLS on the router interfaces to limit the hosts from infecting 
> each other.
> 	Has anyone else done this?
> Dave

More information about the unisog mailing list