From: Eric Chamberlain, CISSP (eric_at_uclink.berkeley.edu)
Date: Tue Aug 26 2003 - 18:47:09 PDT
Craig,
I support your proposal. I checked my logs that cover 62 servers and 26
desktops. The logs show a steady increase in port 135 traffic originating
from on-campus machines. Here is my breakout of network traffic from
on-campus sources to machines that blocked the connection attempt (the
connection attempt should not occur).
Connection
Attempts
9 8/9
2 8/10
24 8/11
42 8/12
89 8/13
144 8/14
56 8/15
24 8/16
25 8/17
173 8/18
4791 8/19
9848 8/20
9135 8/21
10238 8/22
7609 8/23
7095 8/24
9754 8/25
9657 8/26 as of 6:40pm
-- Eric Chamberlain, CISSP Campus Active Directory Architect Central Computing Services University of California, Berkeley http://calnetad.berkeley.edu > -----Original Message----- > From: owner-ucb-security_at_uclink4.berkeley.edu > [mailto:owner-ucb-security_at_uclink4.berkeley.edu] On Behalf Of > Craig Lant > Sent: Tuesday, August 26, 2003 11:12 AM > To: micronet-list_at_uclink.berkeley.edu; > ucb-security_at_uclink.berkeley.edu; comp-mgrs_at_socrates.berkeley.edu > Subject: [Security] SNS proposal to deal with Blaster worm > > > The Blaster worm is beginning to spread rapidly across the campus > network. This is, no doubt, exacerbated by the fact that > thousands of > computers are suddenly being connected to our network and > many of them > are already infected. SNS is finding hundreds of new > infections every day. > > Our standard procedure is to send notifications to security contacts, > wait one to two working days, then block them if the problem isn't > resolved. Unfortunately, this is hampering our ability to > stay on top > of the problem and it's giving the virus more time to spread. > > We are proposing a change in our procedures to handle this particular > problem. We would like to send another CalMail warning to > all faculty, > staff, and students explaining that we need to begin immediately > blocking computers that are found to be infected and attacking other > computers. We'll still send individual notifications to security > contacts as hosts are blocked. But, we would no longer allow > infected > computers to continue attacking others for a day or two before taking > action. > > I'm distributing this proposal as widely as I can (short of CalMail). > If you feel that this proposal is unacceptable or will cause > more harm > than good, let us know ASAP. I also welcome alternative > ideas at any time. > > Thanks, > Craig > > Craig Lant > ------- Campus Information Systems Security Officer ------- > ----- University of California, Berkeley ----- > 510-643-0596 craig_at_ack.Berkeley.edu > > ------------------------------------- > Sent via the ucb-security mailing list. >
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Tue Aug 26 2003 - 18:48:28 PDT