[unisog] Nachi and NetFlow

Scott Genung sagenung at ilstu.edu
Sun Nov 2 18:42:11 GMT 2003


All,

So, here's what it all boils down to. The traffic sourced from the host 
matched by the route map is real. It is being discarded at the local 
gateway but the user reports no application problems. Thus, we are 
confident that the source of this volume is a worm of some flavor (Nachi or 
otherwise). Although it is being discarded at the local gateway, we have 
received complaints about latency issues for select time sensitive 
applications in some of our environments where we have older switch 
platforms. So, we are motivated to identify and quench the source of this 
traffic.

I have read some very interesting comments made by others about how they 
detect these stealth trojans. We are looking at some of these ideas now. 
What do you do when you cannot? Do you force the SA to rebuild the box or 
risk loss of connectivity or do you just grin and bear it?

At 05:49 PM 11/1/2003, Adkins, Mike wrote:
>We have shut down numerous false reports using the exact same scenario
>you are describing. We use Symantec Antivirus and the same Cisco route
>map you describe. We have sent our helpdesk staff out to check these
>systems and they are unable to find any viruses.





Scott Genung
Manager of Networking Systems
Telecommunications and Network Support Services
124 Julian Hall
Illinois State University

(309)438-8731   http://www.tnss.ilstu.edu 



More information about the unisog mailing list