- Transforming ITIL to Agile
- Visualization Coolness
- Change Detection
- Green IT Machine
- Continuous Training
- Community and Cooperation are the Keys to Success!
- Ignoring the source code is akin to an ostrich sticking its head in the sand
- Remember when men were men and wrote their own device drivers?
- My downloads is bigger than yours!
- It's all about working together
December 15, 2005 | Comments: (0)
Catching Sasser and Zotob at InteropNET with Network Physics
Dwight Barker, Director Product Management from Network Physics shared with me today his story of looking for virus attacks across InteropNET. Dwight is part of the volunteer NOC team and has been busy the past few days tracking all the TCP flows from begining to end across the network. Using the Network Physics MP2000 appliance running the Netsensory OS, he's been able to time stamp a bunch of key metrics along the way and track failed connections and potential viruses.
Many of the machines running on the InteropNET, including servers on InteropNET and the laptops exhibitors and attendees bring to the show are typically behind firewalls and virus scanning systems when on their home networks. When these machines connect to the network at Interop, they're now on the public Internet without any protection and are vulnerable to attack.
Worms like Zotob, blaster and Sasser, exploit well known wide area file services on ports 135, 139 and 445 ports in Windows servers and clients. Once a worm gets on a system, it really only knows its own IP address. So worms start their attacks by blasting out attempted connections to any and all subclass addresses on the network.
In Dwight's case today he noticed a suspect with address 130.128.80.60 attempting and failing connections on many 130.128.x addresses. He was able to use one of the built in templates, or what the company calls "Insights" to look for and chart extreme spikes in attempted connections.
Each of the show booths at Interop are assigned a business group in the Network Physics system by IP address, so the spikes can be viewed by exhibitor. Dwight can aggregate the failed connections over time and catch the spikes that indicate denial of service attach or vulnerability attack. In one case a single IP was flooding the network port 135. The offending IP address turned out to be a laptop in a vendor booth infected with a Sasser worm. The InteropNET team tracked down the booth by IP address and to the exhibitor's surprise should up to find the specific laptop and clean it.
During the course of two days, the InteropNET team caught five infected machines and walked the aisles to clean machines.
Posted by Michael Baum on December 15, 2005 07:03 PM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Is your smaller organization ready for High Availability?
- Is system maintenance doing more harm than good?
- Virtual Test Lab Automation: Manage development infrastructure
