RE: Blaster Recurrence

["Dave Paris" <dparis () w3works com>]

In addition to shutting down unused switch ports, MAC-lock your active ports
to prevent someone from just unplugging one cable and shoving in another
(blocking physical access to the devices in the first place is also a Good
Thing)  MAC-locked DHCP is also helpful... as are VLANs.

When properly configured (which, yes, takes time and resources a lot of
companies aren't willing to expend until they're crippled by something like
this), your network infrastructure can prevent a lot of attack vectors and
make life a little more bearable for the admins charged with keeping peace
on the wires.

Kind Regards,
-dsp

-----Original Message-----
From: Neil Anderson [mailto:cleidh_mor () btopenworld com]
Sent: Monday, February 02, 2004 3:35 PM
To: incidents () securityfocus com
Subject: Re: Blaster Recurrence


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our company and some of our clients had several occurrences of Blaster
re-appearing on patched machines after the first patch - we had to re-patch
with an updated patch.

We found that the most direct route for infection was remote users with
laptop/VPN/no firewall...  Try restricting remote access and I would get
those infected machines off the network, re-installed and patched *before*
reconnection to the network, but that's stating the obvious ;)

Also, if you can, shutdown all currently unused switch ports so that foreign
machines can't be connected without you knowing.  If you get someone who has
to connect a foreign machine, scan it first.

Hope this helps.

Cheers,
Neil

Network Engineer.
[...]



---------------------------------------------------------------------------
----------------------------------------------------------------------------