Heald, Tim wrote: > > How bad is it for other people? Personally, about 30 from on campus systems and bounces to spoofed email addresses.
> I am writing a special topic paper on soBig and the blaster variants, and > tying it into change/patch management practices. I would really love to > hear back from anyone that's been hit, about how they have dealt with it. TU Delft campus: 12000 computers managed by IT people 4200 dorm rooms at 100 Mbps 2000 computers at DSL Infrastructure: block on incoming traffic to port 25, everything goes through the gateway 3 mail gateway machines (load balanced) running RAV antivirus block on incomming and outgoing traffic on port 135 Blaster was a mess, at least 200 infected systems. And we were lucky, due to the propagation algorithm it took until Monday before the lower /17 was affected. Not much difference between the infection rate on computers maintained by IT staff and by the students themselves at home. Sobig maybe a dozen infections. Mail gateways set to silently drop virusses so not much traffic from that. What was somewhat of a problem is that the McAfee virus signature file only became available 4 hours after the initial outbreak. Due to timing, there was very little impact on campus. It was very late already and the next day all the nightly processes had updated the scanners. But this was different for students at home (if they ran a virus scanner at all). If I had to guess, I would say about half a million infected emails total. If you are infected, your connection goes down. > Also those that weren't affected, what practices and policies do you have > in place to help you mitigate some of the threat? Central IT staff has authority to scan preemtively for computers that are vulnerable for the DCOM-RPC vulnerability. They are taken offline, even if not infected, until secured. Policy goes into effect on Friday. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:5 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
