Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

REN-ISAC W32/Blaster debrief as of 2000 GMT Fri Aug 15

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Fri, 15 Aug 2003 15:59:25 -0500
The REN-ISAC[1] and the IU Advanced Network Management Lab (ANML[2]) are continuing to perform analysis of Abilene 
NetFlow data to characterize W32/Blaster activity. A sample during the period 1200-1500 GMT Thursday August 14 was used 
to identify top network AS sources of port 135 scans on Abilene. Within the top-twenty list, six AS were repeats from 
the August 14 top twenty. E-mail notifications were sent to the network contacts, including 18 U.S. universities, and 2 
U.S. GigaPoP/aggregates.

REN-ISAC, the ANML, and technical leads from Microsoft discussed the anticipated, Saturday August 16, DDoS attack 
against windowsupdate.com, coming from W32/Blaster[3]. Based on current understanding of the worm, Microsoft has a 
sound and effective approach to mitigate the attack. The approach will reduce exposure to Microsoft Corporation 
systems, and likewise will reduce burden on institutional networks that host numerous infected hosts. There is a high 
likelihood of copycat attacks, particularly SYN attacks against Microsoft servers. Institutions may want to be prepared 
for that activity[4].

On a positive note, infection attempts on Abilene, while still high, are down by at least half. A graph, produced by 
ANML, of MS-RPC probe flows per second on Abilene is attached. The source NetFlow data is sampled at approximately a 
1:100 ratio. Actual flow counts are therefore higher.

Worm propagation can be mitigated by the installation of filters at network borders. Recommendations for filtering are 
included in the CERT W32/Blaster advisory[4]. Filters should be defined as input and output - to protect yourselves and 
to protect from infecting others.


Regards,

Doug Pearson
Acting Director, REN-ISAC
Indiana University
ren-isac () iu edu

[1] http://www.ren-isac.net
[2] http://www.anml.iu.edu/
[3] http://www.cert.org/advisories/CA-2003-20.html
[4] http://www.cert.org/advisories/CA-1996-21.html

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: w32blaster_030815.pdf
Description:

Previous By Date Next
Previous By Thread Next

Current thread: