> As we all have seen the call to action regarding Code Red and the > next infection phase, I'm wondering what kind of action has been > taken by the large ISPs to deal with this issue? During the last period of criticality we were able to identify and isolate most problems as they occured. Measuring the CPU and memory usage on routers (via MRTG) can be quite helpful in diagnosing problems like these. Those ISP's who don't/can't react to outbreaks at client sites, particularly those with high-speed connections, may well see router memory depleted by the virus, which should help limit it's spread. Tracking CPU usage in particular has been helpful in many other cases where a client was compromised (or being attacked- router CPU doesn't normally change state more than +/-5% in any given five minute period unless there's something wrong going on). With IOS accounting it's not hard to see who's port scanning, and with an aggressive virus like Code Red it's also easy to see the infected machines since they'll connect to hundreds of random hosts in just a few seconds. Very busy networks or sites with a firewall can make more specific diagnoses difficult. So our response when the virus cycles itself tomorrow will be to keep an eye on the graphs and respond as necessary. Null0 is our friend and readily accepts all the crap that the rest of the Net doesn't need. Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 09:30:48 PDT