Nimba Question.

Tim Bass bass at silkroad.com
Thu Nov 1 18:03:35 UTC 2001 

Shawn,

If downstream clients are infected with NIMDA or any of the  same MS
virus variants you should:

(1) Send them a nice note and tell them they are infected and causing
      problems upstream (include hostnames and IP addresses)

(2) Request that they fix the problem in FOO hours.   If they do not
      then outbound port 80 traffic for the offensive IP address will
      be blocked (at the edge router).  (Suggest FOO=24)

(3)  Explain that the block/filter will be removed when virus is 
       cleansed and vulnerability mitigated.

Based on the relationshop of upstream/downstream ISPs and
'who is on the most outside edge'...... different blocking strategies
may be applied.  This is an 'SLA issue' between client and provider.

Finest Regards, Tim

www.silkroad.com

  ----- Original Message ----- 
  From: Gyorfy, Shawn 
  To: 'nanog at merit.edu' 
  Sent: Thursday, November 01, 2001 12:12 PM
  Subject: Nimba Question.


  Hey what's going on?

   

  Question for you all.  We are a BLEC, we give each building a T1 and router and back haul the circuit to our NOC were we distribute the packets to our service providers.  The problem I see, some of our clients in the building, there computers are infected with the NIMBA virus / Code Red.  I get emailed from firewall administrators about the possible port scan, and then I disconnect the customer until he updates his servers and cleans them.  I was wondering if I can do anything on my end to prevent the Nimba going out on my end.  I have been reading about Cisco's NBAR feature with class maps but I don't want to put that on the core because it will kill the box (Cisco 10K ESR, (2) 7507, (2) 7206).  Plus cisco stated that it can only hand 24 concurrent web hits. So that's out.  I was also thinking about putting that on the building routers but 75% aren't Cisco, they are Lucent Access Points.  Any suggestions would be appreciated.  

   

   

  shawn.   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20011101/d5854573/attachment.html>

More information about the NANOG mailing list