Re: Nachi claims another college: Dartmouth November 7

["Robert A. Hayden" <rhayden () geek net>]

We got so sick of dealing with Nachi that we stepped up deployment of a 
uRPF-based blackhole routing system campus wide.  Now when the flows show 
something abnormal, we just blackhole the offending computer and 
auto-generate and email to the admins of that IP space and then send them 
auto nag-grams every day or two to remind them the IP is still blocked.  
Once we get word that they've done something, the IP is removed.

Using uRPF in this manner has REALLY made it easy to sugically remove 
compromised hosts without having to use ACLs or turn off entire department 
interfaces.

We developed a web-based front end to allow IPs to be added and removed
easyily along with space to enter some notes regarding the action where
you can paste in flow information and the like.

Education only works so far.  Sooner or later you just need a big 
clue-by-four.

What I love is when departments (against campus policy) install giant NAT
firewalls and so, of course, we block the NATted IP and invariably kill 20
or 30 machines behind it.

On Fri, 7 Nov 2003, Sean Donelan wrote:

> Almost half of all student computers on Dartmouth's campus have been
> infected by the Nachi/Welchia worm.  If student's do not fix their
> computers by November 11 (nearly four months after Microsoft released the
> original patch), Dartmouth will turn off the student's network access.
>
> http://www.thedartmouth.com/article.php?aid=2003110701020
>
>
> Has anyone figured out a way to get computer users to fix their computers
> other than fixing the computer for them?