[44046] in North American Network Operators' Group
Re: Nimba Question.
daemon@ATHENA.MIT.EDU (Tim Bass)
Thu Nov 1 13:03:38 2001
Message-ID: <003f01c162ff$8724c140$a900a8c0@silkroad.com>
Reply-To: "Tim Bass" <bass@silkroad.com>
From: "Tim Bass" <bass@silkroad.com>
To: "Gyorfy, Shawn" <sgyorfy@elinkny.com>
Cc: <nanog@merit.edu>
Date: Thu, 1 Nov 2001 13:03:35 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_003C_01C162D5.9DD93B20"
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_003C_01C162D5.9DD93B20
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Shawn,
If downstream clients are infected with NIMDA or any of the same MS
virus variants you should:
(1) Send them a nice note and tell them they are infected and causing
problems upstream (include hostnames and IP addresses)
(2) Request that they fix the problem in FOO hours. If they do not
then outbound port 80 traffic for the offensive IP address will
be blocked (at the edge router). (Suggest FOO=3D24)
(3) Explain that the block/filter will be removed when virus is=20
cleansed and vulnerability mitigated.
Based on the relationshop of upstream/downstream ISPs and
'who is on the most outside edge'...... different blocking strategies
may be applied. This is an 'SLA issue' between client and provider.
Finest Regards, Tim
www.silkroad.com
----- Original Message -----=20
From: Gyorfy, Shawn=20
To: 'nanog@merit.edu'=20
Sent: Thursday, November 01, 2001 12:12 PM
Subject: Nimba Question.
Hey what's going on?
=20
Question for you all. We are a BLEC, we give each building a T1 and =
router and back haul the circuit to our NOC were we distribute the =
packets to our service providers. The problem I see, some of our =
clients in the building, there computers are infected with the NIMBA =
virus / Code Red. I get emailed from firewall administrators about the =
possible port scan, and then I disconnect the customer until he updates =
his servers and cleans them. I was wondering if I can do anything on my =
end to prevent the Nimba going out on my end. I have been reading about =
Cisco's NBAR feature with class maps but I don't want to put that on the =
core because it will kill the box (Cisco 10K ESR, (2) 7507, (2) 7206). =
Plus cisco stated that it can only hand 24 concurrent web hits. So =
that's out. I was also thinking about putting that on the building =
routers but 75% aren't Cisco, they are Lucent Access Points. Any =
suggestions would be appreciated. =20
=20
=20
shawn. =20
------=_NextPart_000_003C_01C162D5.9DD93B20
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3DWord.Document name=3DProgId>
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<META content=3D"Microsoft Word 10" name=3DOriginator><LINK=20
href=3D"cid:filelist.xml@01C162CE.26D89E00" rel=3DFile-List><!--[if gte =
mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]-->
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; mso-header-margin: .5in; mso-footer-margin: .5in; =
mso-paper-source: 0; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; text-underline: single
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; text-underline: single
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; text-underline: single
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; text-underline: single
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: =
personal-compose; mso-style-noshow: yes; mso-ansi-font-size: 10.0pt; =
mso-bidi-font-size: 10.0pt; mso-ascii-font-family: Arial; =
mso-hansi-font-family: Arial; mso-bidi-font-family: Arial
}
SPAN.SpellE {
mso-style-name: ""; mso-spl-e: yes
}
SPAN.GramE {
mso-style-name: ""; mso-gram-e: yes
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]--></HEAD>
<BODY lang=3DEN-US style=3D"tab-interval: .5in" vLink=3Dpurple =
link=3Dblue=20
bgColor=3D#ffffff>
<DIV><FONT size=3D2>Shawn,</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>If downstream clients are infected with =
NIMDA or any of=20
the same MS</FONT></DIV>
<DIV><FONT size=3D2>virus variants you should:</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>(1) Send them a nice note and tell them they are =
infected and=20
causing</FONT></DIV>
<DIV><FONT size=3D2> problems upstream =
(include=20
hostnames and IP addresses)</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>(2) Request that they fix the problem in FOO=20
hours. If they do not</FONT></DIV>
<DIV><FONT size=3D2> then outbound port 80 =
traffic=20
for the offensive IP address will</FONT></DIV>
<DIV><FONT size=3D2> be blocked (at the =
edge=20
router). (Suggest FOO=3D24)</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>(3) Explain that the block/filter =
will be=20
removed when virus is </FONT></DIV>
<DIV><FONT size=3D2> cleansed and=20
vulnerability mitigated.</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>Based on the relationshop of upstream/downstream =
ISPs=20
and</FONT></DIV>
<DIV><FONT size=3D2>'who is on the most outside edge'...... different =
blocking=20
strategies</FONT></DIV>
<DIV><FONT size=3D2>may be applied. This is an 'SLA issue' between =
client=20
and provider.</FONT></DIV>
<DIV><FONT size=3D2></FONT><FONT size=3D2></FONT><FONT =
size=3D2></FONT><BR>Finest=20
Regards, Tim</DIV>
<DIV> </DIV>
<DIV><A href=3D"http://www.silkroad.com">www.silkroad.com</A><BR></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dsgyorfy@elinkny.com =
href=3D"mailto:sgyorfy@elinkny.com">Gyorfy,=20
Shawn</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dnanog@merit.edu=20
href=3D"mailto:'nanog@merit.edu'">'nanog@merit.edu'</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, November 01, =
2001 12:12=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Nimba Question.</DIV>
<DIV><BR></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hey what's going=20
on?<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><SPAN class=3DGramE><FONT face=3DArial =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Question for you=20
all.</SPAN></FONT></SPAN><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>We are a BLEC, we give each =
building a=20
T1 and router and back haul the circuit to our NOC were we distribute =
the=20
packets to our service providers. <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>The problem I see, some of =
our clients=20
in the building, there computers are infected with the NIMBA virus / =
Code=20
Red.<SPAN style=3D"mso-spacerun: yes"> </SPAN>I get emailed from =
firewall=20
administrators about the possible port scan, and then I disconnect the =
customer until he updates his servers and cleans them.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>I was wondering if I can do =
anything=20
on my end to prevent the <SPAN class=3DSpellE>Nimba</SPAN> going out =
on my end.=20
<SPAN style=3D"mso-spacerun: yes"> </SPAN>I have been reading =
about Cisco's=20
NBAR feature with class maps but I don't want to put that on the core =
because=20
it will kill the box (Cisco 10K ESR, (2) 7507, (2) 7206). <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>Plus <SPAN =
class=3DSpellE>cisco</SPAN>=20
stated that it can only hand 24 concurrent web hits. So that's =
out.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>I was also thinking about =
putting that=20
on the building routers but 75% aren't Cisco, they are Lucent Access=20
Points.<SPAN style=3D"mso-spacerun: yes"> </SPAN>Any suggestions =
would be=20
appreciated.<SPAN style=3D"mso-spacerun: yes"> =20
</SPAN><o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><SPAN class=3DSpellE><SPAN class=3DGramE><FONT =
face=3DArial=20
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">shawn</SPAN></FONT></SPAN></SPAN><FONT=20
face=3DArial size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">. <SPAN=20
style=3D"mso-spacerun: =
yes"> </SPAN><o:p></o:p></SPAN></FONT></P></DIV></BLOCKQUOTE><=
/BODY></HTML>
------=_NextPart_000_003C_01C162D5.9DD93B20--
