Re: Large ISP response to Code Red?

["Mike Lewinski" <mike () rockynet com>]

> As we all have seen the call to action regarding Code Red and the
> next infection phase, I'm wondering what kind of action has been
> taken by the large ISPs to deal with this issue?

During the last period of criticality we were able to identify and
isolate most problems as they occured. Measuring the CPU and memory
usage on routers (via MRTG) can be quite helpful in diagnosing problems
like these. Those ISP's who don't/can't react to outbreaks at client
sites, particularly those with high-speed connections, may well see
router memory depleted by the virus, which should help limit it's
spread.

Tracking CPU usage in particular has been helpful in many other cases
where a client was compromised (or being attacked- router CPU doesn't
normally change state more than +/-5% in any given five minute period
unless there's something wrong going on). With IOS accounting it's not
hard to see who's port scanning, and with an aggressive virus like Code
Red it's also easy to see the infected machines since they'll connect to
hundreds of random hosts in just a few seconds. Very busy networks or
sites with a firewall can make more specific diagnoses difficult.

So our response when the virus cycles itself tomorrow will be to keep an
eye on the graphs and respond as necessary. Null0 is our friend and
readily accepts all the crap that the rest of the Net doesn't need.

Mike




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com