CodeRed notification problems

From: Martin, James E. (martin@more.net)
Date: 07/30/01 

Message-ID: <D6F9BFB17375D3118C59006094516E99097A5B34@um-mail02b.umsystem.edu>
From: "Martin, James E." <martin@more.net>
To: SECURITY-BASICS <SECURITY-BASICS@securityfocus.com>
Subject: CodeRed notification problems
Date: Mon, 30 Jul 2001 13:34:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----

Folks,

We're an educational backbone ISP for Missouri public education,
libraries and government, with well over two million downstream users
at 1100 sites. We provide a connection to an edge device, but rarely
have anything to do with local authentication and access aside from
policy.

We've received notices from a couple of network security related
groups over the last week, each providing a list of 10-30 machines
supposedly infected with Code Red. On investigation, less than 30%
are accurate in that they are vulnerable. Some are not even running
Windows, let alone the indexing service.

As our downstream frequently makes use of DHCP and NAT, without a
time/date stamp any complaint regarding these networks is worth very
little. The issue of whether it's a good thing to run servers back
there is a separate issue with each of our customers. There's simply
no way to correlate with logs.

One of the most basic rules of thumb of security event response is
that some level of verification should always accompany a complaint.
None of these authorities have included a time/date stamp of the
scan.

Considering the questionable accuracy of the detection tools as well
as of the complaints, how are others with dynamic addressing handling
the problem?

Thanks!
Jim

========================================
James E. Martin
MOREnet Network Security Coordinator
========================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBO2WoxXsSeseA5Y/tAQFQOQf+M807335jp8NCQZuk34OUTFLHmKYnN9wq
3V9CMrwPCHf9tPx/XJR4ZCvRdD+ILtGsQKEEZeDQ86CwW3I3nZCS9PPYWV4ZtClA
6RSlXMD1DookgOmZkuF6tpcGqKLQpNlfw3d9MMyMZf2Q9k1B3QpN4faRR8pQHmAs
KwN050hgQ4KH7Ke14sAJwCw3jLZBaLVcOiMidWswvHmoTEctzAExDOyP+r1FSe18
vxGpQIBBpnfIi1TRjGWHJcgXhVNnFs4G5431ffM9BUF8j7xtpa03Ovx3Gi4fk1CQ
nKBMNsEWmQzd9quFHLRq+J4T56lTc/8nzHwfEEwk3wXqjcYU/lNOoQ==
=sRyu
-----END PGP SIGNATURE-----