Port blocking last resort in fight against virus

Jack Bates jbates at brightok.net
Tue Aug 12 22:53:23 UTC 2003


Christopher L. Morrow wrote:
> 
> So, if in YOUR network you want to do this blocking, go right ahead, but I
> wouldn't expect anyone else to follow suit unless they already determined
> there was a good reason for themselves to follow suit. As an aside, a day
> or so of 5 minutely reboots teaches even the slowest user to find a
> firewall product and upgrade/update their systems, eh?

Yeah. I hate to admit it, but there is a lot gained from this worm. The 
of the worm will secure a lot of systems from other exploits of the same 
vulnerability which can be used for much worse. From what I've seen, a 
lot of networks have sent user's to custom webpages to assist in 
patching and removal of the worm. I wonder if microsoft minds the 
redistribution of patches in this senario. ;)

My outbound ratio of worm to total packets has decreased to 7%. Helpdesk 
call volume has increased drastically, but we expect things to be close 
to normal by end week.

As a side note, I think one of my peers issued a 135 block in their core 
(haven't checked). The inbound scan numbers should be much higher than 
they are.

-Jack




More information about the NANOG mailing list