There are still a significant number of computers on campus that are
infected with the either the Welchia/Nachia worm or the Blaster Worm
(see http://www.yorku.ca/infosec/Advisories/virus_progress.html).
The procedures used to block the negative network traffic coming
from these machines is placing a significant load on our network
routers. In some cases, the excess load is actually starting to
impact network performance causing people to lose their connections
to servers or services on campus.
Under normal circumstances, when CNS becomes aware that machines on
campus have become infected we attempt to contact the user, or the
local computing support department. If we are unable to contact
somebody who can't remove the infection from the computer, we
disable the computer's network port. Unfortunately, the impact that
these unpatched and infected computers is having on our network is
so large that we have no choice but to immediately disable network
access for the infected or unpatched computers without contacting
the user or local support group.
Removal tools for the Welchia/Nachia and Blaster worms can be found
here:
Welchia/Nachia:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
Blaster:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
People who find that they have lost network access should contact
their local computing support group to arrange to have their
computer scanned, cleaned and patched. Once the local support group
is satisfied that the machine is clean, the local computing support
group should contact the CNS Helpdesk ([log in to unmask]) and
inform them that the machine in question has been cleaned and can be
reconnected. The local support group must include the IP address of
the machine in question in their email to the helpdesk.
Questions or concerns about this note, should be directed to
the CNS Helpdesk in the Computing Commons, William Small Centre,
(voice: 416-736-5800, email: [log in to unmask]).
---------- Forwarded message ----------
Date: Thu, 28 Aug 2003 14:43:50 -0400 (EDT)
From: Donal Lynch <[log in to unmask]>
Reply-To: [log in to unmask]
To: York U. announcements list <[log in to unmask]>
Subject: Update: Network Service Interruptions - August 28
CNS has taken steps to mitigate the impact of the DOS attack
mentioned below.
Given the information currently available it appears that this
attack is being caused by computers infected with the W32.Welchia
worm. A significant portion of the attack is coming from machines
at York that still have not been cleaned and/or patched properly.
In order to block the attack, we are now blocking ICMP packets that
are 92 bytes long at the router interfaces. Unfortunately, the
amount of traffic generated on-campus by infected machines is so
significant that simply blocking it is placing a large load on the
campus routers. CNS will continue to monitor the situation.
Questions or concerns about this note, should be directed to
the CNS Helpdesk in the Computing Commons, William Small Centre,
(voice: 416-736-5800, email: [log in to unmask]).
---------- Forwarded message ----------
Date: Thu, 28 Aug 2003 12:06:19 -0400
From: Donal Lynch <[log in to unmask]>
Reply-To: [log in to unmask]
To: [log in to unmask]
Subject: Network Service Interruptions - August 28
Resent-Subject: Network Service Interruptions - August 28
York's Network is currently suffering from a significant Denial of
Service (DOS) Attack. At this point, the attacks appear to be
coming from a large number of computers at York and from the
Internet. This attack is negatively impacting network performance
and blocking access to network resources. CNS is working to address
the problem, but it may take several hours before service returns to
normal.
Questions or concerns about this note, should be directed to
the CNS Helpdesk in the Computing Commons, William Small Centre,
(voice: 416-736-5800, email: [log in to unmask]).
|
