W32/Blaster: Saturday Aug 16 situational analysis

[Doug Pearson <dodpears () INDIANA EDU>]

Personnel from the REN-ISAC[1], the IU Advanced Network Management Lab[2] and Abilene[3] management conferred with lead 
technical representatives of Microsoft regarding the anticipated, Saturday August 16, DDoS attack against 
windowsupdate.com, coming from W32/Blaster[4].

Based on current understanding of the worm, Microsoft has a sound and effective approach to mitigate the attack. The 
approach will reduce exposure to the Microsoft Corporation network and systems, and likewise will reduce burden on 
institutional networks that host numerous infected hosts. There is a high likelihood of copycat attacks, particularly 
SYN attacks against Microsoft servers. Institutions may want to be prepared for that activity[5].

The REN-ISAC and the IU Advanced Network Management Lab are continuing to perform analysis of Abilene NetFlow data to 
characterize W32/Blaster activity. Worm traffic on Abilene remains high, peaking Monday night at 7%+ of all packets on 
the network.

Worm propagation can be mitigated by the installation of filters at network borders. Recommendations for filtering are 
included in the CERT W32/Blaster advisory[4]. Filters should be defined as input and output - to protect yourselves and 
to protect from infecting others.


Regards,

Doug Pearson
Director, REN-ISAC
Indiana University
ren-isac () iu edu

[1] http://ren-isac.iu.edu/
[2] http://www.anml.iu.edu/
[3] http://www.internet2.edu/abilene/
[4] http://www.cert.org/advisories/CA-2003-20.html
[5] http://www.cert.org/advisories/CA-1996-21.html

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.