Re: More on the DDoS Attack
Eric Gauthier wrote: Take a look and let me know what you think. Any question or comments - editorial or otherwise - would be greatly appreciated. Nice layout. Reverse the the process so default is a good host and integrate it with radius, using access lists versus private/public addresses and you have a nice method for jailing an infected user so that they can still dial up and get virus defs, patches, etc and that's it. Granted, it would take some tweaking. -Jack
Re: More on the DDoS Attack
Hello, Ok - I know I said I'd have something for the list on Monday. Unforunately, work kept getting in the way :( Yesterday, I sent our this URL to the people who replied to me privately. It is a general overview (with a few details) of how various schools have been dealing with the recent RPC vulnerabilities and the associated Blaster/Welchia worms. http://www.roxanne.org/~eric/blaster.html Take a look and let me know what you think. Any question or comments - editorial or otherwise - would be greatly appreciated. Eric :)
Re: More on the DDoS Attack
> Where you able to obtain redistribution licenses from the vendors, such as > Microsoft, to distribute the patches to your students? Or did your > restricted VLAN allow them enough access to the Internet to download the > tools directly from the vendor's web sites? Sean, I'm not exactly positive regarding the redistribution. The vendors in question are really just Microsoft for the patches and then the cleaning/scanning tools we use. The topic came up in a few of our group meetings where we prepared for the semester and I _BELIEVE_ the answer was that we have site liscences for the scanning/cleaning tools we use, with the exception of any freeware/shareware which doesn't need a liscence, but don't quote me on this. As far as the Microsoft patches, I'm not sure what the legaleze answer was or the exact distribution method, though it was on-line (i.e. "click here to download") and not by handing out burned CDs. So, it was either a local patch repository or a web proxy. I've received a bunch of off-list requests for information, more than I was expecting :) So, instead of just a quick few-line response I'll try to write up something a bit more authoratative. Unfortunately, I only know the details of the network piece, so I have to check with our security and help desk people to answer in detail some of the other questions that have come up (i.e. "legally" redistributing patches, how exactly did the patching work, what scanners did you use/test for, etc). Our security and support teams are just coming down from two weeks of craziness, so some of them are off-line this weekend but I'll try to have something by Monday... Eric :)
Re: More on the DDoS Attack
Sean Donelan wrote: On Fri, 5 Sep 2003, Eric Gauthier wrote: the registration process, we scan each computer. If we catch something, we force them to run a list of patching/cleaning tools before we allow the system to be registered. By Wednesday at 5pm, we'd stopped 3,400 computers Where you able to obtain redistribution licenses from the vendors, such as Microsoft, to distribute the patches to your students? Or did your restricted VLAN allow them enough access to the Internet to download the tools directly from the vendor's web sites? Does that not come with the SUS server (for Microsoft patches)? / Mat (You gotta love that acronym)
Re: More on the DDoS Attack
On Fri, 5 Sep 2003, Eric Gauthier wrote: > the registration process, we scan each computer. If we catch something, > we force them to run a list of patching/cleaning tools before we allow the > system to be registered. By Wednesday at 5pm, we'd stopped 3,400 computers Where you able to obtain redistribution licenses from the vendors, such as Microsoft, to distribute the patches to your students? Or did your restricted VLAN allow them enough access to the Internet to download the tools directly from the vendor's web sites?
Re: More on the DDoS Attack
> To those providers who have started filtering some if not all of the > spoofed traffic, and those have been nuking the zombied hosts. > > Please accept my thanks, it seems that enough has been stopped so the > DNS and websites are now available again. In case you're curious as to how most of the Universities are handling things, this is a pretty good article: http://www.washingtonpost.com/ac2/wp-dyn/A25845-2003Sep4?language=printer On our campus, we've had about 11,000 systems arrive in our dorms over the past 10 days. When a computer plugs in, its vlan'ed into a private network and the user is taken through a system registration process (we use some spoofed DNS and webserver tricks to get them started). During the registration process, we scan each computer. If we catch something, we force them to run a list of patching/cleaning tools before we allow the system to be registered. By Wednesday at 5pm, we'd stopped 3,400 computers and forced them to patch/clean. So far, we've found only about 400 or so systems that squeeked by still infected with Blaster or Sobig.F, but we've been able to contact their owners and clean all but 68 of them; these 68 are now shut off the network. I'm sure my team (the network guys) or our securty team would be more than happy to share what we've done with anyone interested, I'd imagine that it would work very well in a cable-modem/DSL environment. Drop me a note off-list. Thanks for letting me chew up your time and bandwidth... Eric :)
More on the DDoS Attack
To those providers who have started filtering some if not all of the spoofed traffic, and those have been nuking the zombied hosts. Please accept my thanks, it seems that enough has been stopped so the DNS and websites are now available again. Thanks, Matthew
