[60464] in North American Network Operators' Group
Re: Port blocking last resort in fight against virus
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Aug 12 18:56:50 2003
Date: Tue, 12 Aug 2003 17:53:23 -0500
From: Jack Bates <jbates@brightok.net>
To: "Christopher L. Morrow" <chris@UU.NET>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.53.0308122156360.19594@rampart.argfrp.us.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
Christopher L. Morrow wrote:
>
> So, if in YOUR network you want to do this blocking, go right ahead, but I
> wouldn't expect anyone else to follow suit unless they already determined
> there was a good reason for themselves to follow suit. As an aside, a day
> or so of 5 minutely reboots teaches even the slowest user to find a
> firewall product and upgrade/update their systems, eh?
Yeah. I hate to admit it, but there is a lot gained from this worm. The
of the worm will secure a lot of systems from other exploits of the same
vulnerability which can be used for much worse. From what I've seen, a
lot of networks have sent user's to custom webpages to assist in
patching and removal of the worm. I wonder if microsoft minds the
redistribution of patches in this senario. ;)
My outbound ratio of worm to total packets has decreased to 7%. Helpdesk
call volume has increased drastically, but we expect things to be close
to normal by end week.
As a side note, I think one of my peers issued a 135 block in their core
(haven't checked). The inbound scan numbers should be much higher than
they are.
-Jack
