Exeter Uni goes offline to fight mystery malware The University of Exeter took the unusual step of temporarily taking its network down this week in response to a virulent virus outbreak. Computers at the south west England university were taken offline on Monday for a clean-up in response to an unidentified malware outbreak, which has since been contained. By Thursday the …
You have a site with hundreds of computers linked by a gigabit LAN to some pretty high-speed servers hosting millions of pounds worth of research data (and all the clerical, admin, student work etc) and there's a particularly virulent worm making its way around your network. It's been stated that it corrupts data on infected machines.
If the choice comes down to "Drop the switches, lose live data, save the majority of stored data" or "Stay up, risk reinfection of cleaned clients, potentially lose large quantities of stored data" I'd have the breaker out faster than you can say "I'm in the middle of a COMMIT!"
Where'd that link go to the old, old security report surrounding the appearance and rapid spread of the first internet worm? I can't remember what the response was now - let it run riot to best study and eradicate it, or start isolating stuff ASAP, firebreak style, and communicating over phone and limited email links instead.
I suppose full marks are due to those who shut down the system to limit the damage but when everything seems to rely on a big interconnected network the phrase "putting your eggs in one basket" spings to mind. Why does everything have to be so network based when it is a prime target for those who are not adept to living in a civilised society?
I would have thought that some form of back-up (yes, I konw it's old fashioned, but it works) network in a limited form could at least have kept the VoIP working. Good job the mobile phone network wasn't taken out as well!
Have a nice day.
I'm pretty sure the IP Phones where I am use completely different subnet addresses, switches and the like. They are able to share the PC ethernet cables in a limited way, to allow for ease of location, but the traffic for the two different systems is quickly filtered apart at the nearest reasonably smart router (some areas are devoid of IP Phone or have them on dedicated sockets because there aren't enough of the said routers about).
Shouldn't have been too hard to say "ban all traffic from devices on IPs X thru Y but allow that on A thru B"? Or even, for certain domain based nets, ban them by MAC list...
But then when you notice something awful happening and dive for the Big Red Switch there may not be time for considerations like that. If we had something similar going on, we may suffer just as bad. And now I'm trying to remember if the phones were affected that one time we had a NIC in a remote part of the building run wild and start barfing 1000 broadcast packets a second over the entire LAN... probably so? But then we do also have an analogue PBX kicking about for emergency backup anyway.
Thinking of your first point though, this is why chucking all your stuff in the cloud is risky. I'll stick with my plethora of optical backups and flashdrives. Sneakernet is hard to kill without a rifle.
"Graham Cluley, senior technology consultant at Sophos, said that systems may have been taken offline to fight a worm that exploited a specific vulnerability, perhaps involving Vista. Cluley added that although disconnecting systems is not standard practice in malware cleanups, it may be necessary to stop a handful of systems reinfecting everything else."
Sure it's very often a first response action?! Find the source of the outbreak and if possible isolate the bastard(s) asap! Then clean or destroy as necessary taking time to do it properly without worrying about what further damage it can do.
Place I'm working at recently had a problem with a rogue laptop (ironically an unauthorised pen-tester who's script got carried away and started locking out domain accounts!). One of the first responses was to track down the source via MAC address and then shutdown that switch port. Second response was to find the muppet and have a *quiet* word with him, and the manager who let him onsite... ;-)
Sophos is rather over-paranoid in my limited experience. You're unlikely to get any nasty infections whilst making use of their services, but at the same time you may find it rather difficult to get any work done either. If the programs you need aren't being auto quarantined or firewalled, then it's running endless PC-crippling scans and finding lots of "suspect" files to put in data-jail.
Though it may ultimately pay off in THESE situations!
Was? It always has been! The network's run by University College Falmouth, and is completely separate from the main Streatham/St Luke's network anyway.
It's been quite a laugh sitting here, watching the panicky emails come in. I feel rather smug.
It's surprising that there's been almost no report on the topology of the affected network, and how that ultimately contributed to the large-scale effects of this incident.
As with most universities, Exeter University widely uses public IP addresses in it's 144.173.0.0/16 primary network allocation for connected devices (this huge subnet means there's no technical requirement for any address translation since they're a long way from subnet exhaustion).
However, the University regularly uses /21 (255.255.248.0) subnets internally, with insufficient segregation [with VLANs] of logical segments. In addition, many network segments are wired in long spurs, which means that isolating one network segment may necessarily require isolation of cascaded segments which needn't have been architechted in that way.
Finally, and arguably most importantly, the university uses no internally firewalling of it's subnets in their central routing platform (think: zoned firewalls). There is firewalled access for traffic originating outside their primary /16 network, but that still leaves 65k+ addresses all of which can directly connect to each other. To my knowledge there is little or no IDP or traffic monitoring across segments, although this only helps if you actually segregate your networks at the Layer 2 & Layer 3 level.
Certainly, there's no excuse for an attack which (ostensibly) only affects Windows workstations and servers to mean that VoIP networks should be affected, and indeed it should be possible on any corporate network to leave VoIP up and running, even if there's shared infrastructure.
Finally, you have to wonder how the majority of network connected Windows machines went un-patched.
Just my $0.02, but didn't seem that anyone else was saying it.
whether or not Exeter has any Unix/Linux kit.... I would hope so (students at my Uni are heavily intio ubuntu), but of course taking the whole network offline would also take the non-Windows stuff off as well!
Quite sure there're a few well pissed off Unix users, wondering why they're penalised for the lack of security in other areas!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
