Re: Large ISP response to Code Red?

["kath" <kath () kathweb net>]

I work for an ISP.  We were doubly hit by this, as we primarily do DSL and
use Cisco 675 routers and we also primarily sell to businesses who run their
own servers on these lines.

As users came in with Cisco issues, we upgraded the IOS, as per instructions
from the DSLAM provider/CLEC (They didn't tell us it was a worm, just that
there were issues with Cisco 67xs and to upgrade.  I found the whole truth
out later when I got home and read this list).

Our servers were patched and not affected, however the DNS was clogged from
the DoS-like effects and was troublesome all day.

When the lists of infected hosts came down the wire, myself and another on
the tech team compared the IPs with our account info and called every
infected user and gave them info and where to get the patch (some didn't
even know they were compromised or that there was that virus).

For SirCam, we were getting heavy inbound spam from several ISPs (Prodigy
for example was huge, in the gigs of data range) and our sysadmin blackholed
them from our server.  We did have one of our customers who was sending
insane amounts of SirCam spam (like 300-500 emails to ONE person in a short
span) and threatened to yank her email account.  When it continued despite
the warning, we spoke with her boss and did pull the plug on her account
(inbound and out).

Thats about it.  I do believe our response was rather good with the data we
were getting and the situation.

We haven't heard any complaints either way (attacks from us or inbound to
us), so all is quite in the tech room *knock on wood* :)

- k

----- Original Message -----
From: "Jon O ." <jono () microshaft org>
To: <incidents () securityfocus com>
Sent: Monday, July 30, 2001 8:21 PM
Subject: Large ISP response to Code Red?


> Hi:
>
> As we all have seen the call to action regarding Code Red and the
> next infection phase, I'm wondering what kind of action has been
> taken by the large ISPs to deal with this issue?
>
> The report from CAIDA cited home users are a large part of the
> problem and another report even went so far as to list the
> largest offenders by ISP.
>
> Have these ISPs confirmed they have taken action to prevent
> an even worse reinfection phase than the first time and if not
> why?
>
> This is a real case of either being part of the problem or part
> of the solution and I believe these ISPs should be accountable for
> their own bandwidth.
>
>
>
> Thanks,
> Jon
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com