I work for an ISP. We were doubly hit by this, as we primarily do DSL and use Cisco 675 routers and we also primarily sell to businesses who run their own servers on these lines. As users came in with Cisco issues, we upgraded the IOS, as per instructions from the DSLAM provider/CLEC (They didn't tell us it was a worm, just that there were issues with Cisco 67xs and to upgrade. I found the whole truth out later when I got home and read this list). Our servers were patched and not affected, however the DNS was clogged from the DoS-like effects and was troublesome all day. When the lists of infected hosts came down the wire, myself and another on the tech team compared the IPs with our account info and called every infected user and gave them info and where to get the patch (some didn't even know they were compromised or that there was that virus). For SirCam, we were getting heavy inbound spam from several ISPs (Prodigy for example was huge, in the gigs of data range) and our sysadmin blackholed them from our server. We did have one of our customers who was sending insane amounts of SirCam spam (like 300-500 emails to ONE person in a short span) and threatened to yank her email account. When it continued despite the warning, we spoke with her boss and did pull the plug on her account (inbound and out). Thats about it. I do believe our response was rather good with the data we were getting and the situation. We haven't heard any complaints either way (attacks from us or inbound to us), so all is quite in the tech room *knock on wood* :) - k ----- Original Message ----- From: "Jon O ." <jonoat_private> To: <incidentsat_private> Sent: Monday, July 30, 2001 8:21 PM Subject: Large ISP response to Code Red? > Hi: > > As we all have seen the call to action regarding Code Red and the > next infection phase, I'm wondering what kind of action has been > taken by the large ISPs to deal with this issue? > > The report from CAIDA cited home users are a large part of the > problem and another report even went so far as to list the > largest offenders by ISP. > > Have these ISPs confirmed they have taken action to prevent > an even worse reinfection phase than the first time and if not > why? > > This is a real case of either being part of the problem or part > of the solution and I believe these ISPs should be accountable for > their own bandwidth. > > > > Thanks, > Jon > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 09:24:46 PDT