[unisog] mydoom solution

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sat Jan 31 21:47:22 GMT 2004


On Wed, 28 Jan 2004 15:55:22 PST, "Stauffacher, John" <stauffacher at chapman.edu>  said:

> Mitigation technique:                  1. Make your internal DNS (or at
> least the one everyone uses, that doesn't necessarily update the outside
> world) authoritative for sco.com

> Mitigation technique:                  2. Null route www.sco.com
> <http://www.sco.com/>  at your border routers, I'd suggest null routing
> all of sco's real address space. This would work, it would cause a
> little more overhead on your core routers, but you'd decrease the
> overall damage done by the virus

In either case, make *VERY* sure that you have definite can't-forget plans to
actually take the block OUT in a week or so.  Otherwise, your help desk will
NEVER figure it out six months from now....

Also, note that a lot of people read www.groklaw.net and follow links from
there to the SCO propagand^H^H^H^H^H^Hpress release page.  So beware of
creating any auto-notify "you must have a worm because you looked up
www.sco.com" or similar.

In any case, I severely doubt that any mitigation techniques you can possibly
deploy will make any major difference - think about how many infected machines
are Out There compared to how many are on your campus. (Remember - the mere
fact that you're reading this message indicates that your site has enough
security clue to *find* this list, and is therefore probably in better shape
than the average site.  Sad but true - I'm preaching to the choir again....)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20040131/724b3720/attachment-0003.bin


More information about the unisog mailing list