Educause Security Discussion mailing list archives
W32/Blaster: Saturday Aug 16 situational analysis
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Thu, 14 Aug 2003 20:24:00 -0500
Personnel from the REN-ISAC[1], the IU Advanced Network Management Lab[2] and Abilene[3] management conferred with lead technical representatives of Microsoft regarding the anticipated, Saturday August 16, DDoS attack against windowsupdate.com, coming from W32/Blaster[4]. Based on current understanding of the worm, Microsoft has a sound and effective approach to mitigate the attack. The approach will reduce exposure to the Microsoft Corporation network and systems, and likewise will reduce burden on institutional networks that host numerous infected hosts. There is a high likelihood of copycat attacks, particularly SYN attacks against Microsoft servers. Institutions may want to be prepared for that activity[5]. The REN-ISAC and the IU Advanced Network Management Lab are continuing to perform analysis of Abilene NetFlow data to characterize W32/Blaster activity. Worm traffic on Abilene remains high, peaking Monday night at 7%+ of all packets on the network. Worm propagation can be mitigated by the installation of filters at network borders. Recommendations for filtering are included in the CERT W32/Blaster advisory[4]. Filters should be defined as input and output - to protect yourselves and to protect from infecting others. Regards, Doug Pearson Director, REN-ISAC Indiana University ren-isac () iu edu [1] http://ren-isac.iu.edu/ [2] http://www.anml.iu.edu/ [3] http://www.internet2.edu/abilene/ [4] http://www.cert.org/advisories/CA-2003-20.html [5] http://www.cert.org/advisories/CA-1996-21.html ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- W32/Blaster: Saturday Aug 16 situational analysis Doug Pearson (Aug 14)