[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Date: Sat, 27 Sep 2003 11:40:22 -0500

--On Saturday, September 27, 2003 7:30 AM -0400 Karl DeBisschop <kdebisschop@xxxxxxxxxxxxxxxxxxxx> wrote:


I imagine mail out of that subnet passes through a proxy server with
spam and virus detection.

Yes. And they will get an entirely different DNS server (through DHCP) that will only resolve the hosts that we want them to resolve. :-)

This is a cute concept Paul. You've got a pretty challenging environment
there, and this looks like a creative and functional help for you. It
will be interesting to hear how well this ends up working for you and
what evolution it goes through. For instance, if your security policy
includes supporting diversification, you could add connections to
mirrored Linux and/or (Net|Free|Open)BSD distros (which would be easy
enough to mirro locally).

That's the plan, although the focus right now is completely on the Microsoft clients. I recently suggested that we should switch all MS clients to Mac OS X. :-) They actually didn't laugh this time.

We already are pretty diversified. Our "backoffice" stuff is primarily Solaris, but we've got plenty of Linux flavors, HP_UX, SGI, FreeBSD, OpenBSD, etc.

Maybe this concept is already widely in use at academia. If it is not,
it may soon be.

The ideas along this line have been floating around for some time and variations of it have been implemented during the Blaster mess, but I haven't seen this *exact* idea espoused. Don't misunderstand. It's not really my idea. It's more a result of ongoing discussions amongst a group of us, with me and others throwing out various thoughts and input from a number of mailing lists that we read, all thrown together into a stewpot and stirred vigorously. :-)

The implementation will require the skills of other people. I'm not a DNS expert nor a switching/routing expert, but we have guys that are, and they're figuring out the implementation now.

Essentially what would happen is a person's MAC address would end up in the "evil" file and their connection would be killed. Then DHCP would see their next REQUEST and ACK an address in the "evil vlan" (10.x.x.x so they can't serve anything or get off campus without translation) with a special DNS server that resolves the vendor's patch site, our gateway mail server and a web page that warns them of the problem. Eventually mirroring could enter into the equation as well. We already mirror all MS patches and AV stuff locally anyway.

As much as possible we're trying to eliminate work for us and put the onus on the user to fix their problem, with help from IT if they need it.

Eventually I can see us putting hosts in there that have been hacked, tagged, infected, whatever. Personally I'd like to put them in there if they're simply vulnerable, not hacked, but I haven't yet persuaded the powers that be that we should be that "draconian". (I prefer to see it as proactive.)

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
  - From: Karl DeBisschop

Prev by Date: RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Next by Date: Re: [Full-Disclosure] Swen
Previous by thread: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
Next by thread: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
Index(es):
- Date
- Thread