Re: DCOM RPC exploit (dcom.c)

[Paul Schmehl <pauls () utdallas edu>]

On Sun, 2003-07-27 at 01:30, Ron DuFresne wrote:
> > You can't firewall 135 inside your network or you'd have no network.
>
> but, you can at the outgouing gateway, as well as log the events there to
> help in locating inside infections.  Slammer and some of the other recent
> worms giving a good headsup to folks that filtering is indeed not a one
> way proposition.
>
> ingress as well as egress filtering has been something strongly advocated
> for quite sometime.
>
>
> If an internal network gets so infected that it;s clogging the outgooing
> gateway chokepoint, then it's time to take that network 'offline' from the
> rest of the internet and cleanup.  Unless the company line on this is open
> all ports and let the rest of the world fend for themselves while we try
> and cleanup this mess, which was the decision on a number of places during
> recent worm exploits and not limited to slammer.

How does *any* of what you've said lessen the pain of having to clean up
the mess created by these worms.  We block 135 in both directions, but
that doesn't stop the worm from forcing us to play whack a mole again,
on the inside.  Even using SMS, SUS and login scripts to distribute
patches *and* an aggressive educational program doesn't guarantee 100%
coverage of patches.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html