Re: Large ISP response to Code Red?

From: kath (kathat_private)
Date: Mon Jul 30 2001 - 21:10:43 PDT

  • Next message: Dean Cunningham: "TCP port 6346"

    I work for an ISP.  We were doubly hit by this, as we primarily do DSL and
    use Cisco 675 routers and we also primarily sell to businesses who run their
    own servers on these lines.
    
    As users came in with Cisco issues, we upgraded the IOS, as per instructions
    from the DSLAM provider/CLEC (They didn't tell us it was a worm, just that
    there were issues with Cisco 67xs and to upgrade.  I found the whole truth
    out later when I got home and read this list).
    
    Our servers were patched and not affected, however the DNS was clogged from
    the DoS-like effects and was troublesome all day.
    
    When the lists of infected hosts came down the wire, myself and another on
    the tech team compared the IPs with our account info and called every
    infected user and gave them info and where to get the patch (some didn't
    even know they were compromised or that there was that virus).
    
    For SirCam, we were getting heavy inbound spam from several ISPs (Prodigy
    for example was huge, in the gigs of data range) and our sysadmin blackholed
    them from our server.  We did have one of our customers who was sending
    insane amounts of SirCam spam (like 300-500 emails to ONE person in a short
    span) and threatened to yank her email account.  When it continued despite
    the warning, we spoke with her boss and did pull the plug on her account
    (inbound and out).
    
    Thats about it.  I do believe our response was rather good with the data we
    were getting and the situation.
    
    We haven't heard any complaints either way (attacks from us or inbound to
    us), so all is quite in the tech room *knock on wood* :)
    
    - k
    
    ----- Original Message -----
    From: "Jon O ." <jonoat_private>
    To: <incidentsat_private>
    Sent: Monday, July 30, 2001 8:21 PM
    Subject: Large ISP response to Code Red?
    
    
    > Hi:
    >
    > As we all have seen the call to action regarding Code Red and the
    > next infection phase, I'm wondering what kind of action has been
    > taken by the large ISPs to deal with this issue?
    >
    > The report from CAIDA cited home users are a large part of the
    > problem and another report even went so far as to list the
    > largest offenders by ISP.
    >
    > Have these ISPs confirmed they have taken action to prevent
    > an even worse reinfection phase than the first time and if not
    > why?
    >
    > This is a real case of either being part of the problem or part
    > of the solution and I believe these ISPs should be accountable for
    > their own bandwidth.
    >
    >
    >
    > Thanks,
    > Jon
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 09:24:46 PDT