From owner-freebsd-security@FreeBSD.ORG  Mon Oct 27 05:21:07 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EF02A16A4B3
	for <security@freebsd.org>; Mon, 27 Oct 2003 05:21:07 -0800 (PST)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 08FA243FAF
	for <security@freebsd.org>; Mon, 27 Oct 2003 05:21:07 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id GAA25849;
	Mon, 27 Oct 2003 06:20:59 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031027061831.04c88c18@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Mon, 27 Oct 2003 06:20:55 -0700
To: Ross Wheeler <rossw@albury.net.au>,
	Jason Stone <freebsd-security@dfmm.org>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <Pine.BSF.4.31.0310272218340.66532-100000@giroc.albury.net.
 au>
References: <20031027030027.B8440@walter>
 <Pine.BSF.4.31.0310272218340.66532-100000@giroc.albury.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: security@freebsd.org
Subject: Re: Best way to filter "Nachi pings"?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2003 13:21:08 -0000

At 04:23 AM 10/27/2003, Ross Wheeler wrote:

>The "best" option is to actively monitor for this worm (its NOT difficult,
>a few lines of awk and tcpdump does fine here), *DETECT* the worm on your
>customers machine, mail them, mail your support team and BOOT THEM.

That's assuming it's your customer. We're being flooded from OUTSIDE.
There seem to be approximately one zillion hacked Windows machines
out there, and zero inside our networks (because we're blocking the
appropriate ports). We've had only one infection behind that particular
router, and it came when someone brought in a laptop that had been
connected elsewhere.

--Brett