Tool blocks NSW Uni worm infestations

An internally developed tool called bumpety has proved very effective in detecting worm traffic at the University of New South Wales School of Computer Science and Engineering, but social issues have been a barrier to eliminating the cause, computing support officer Peter Linich told the Digital Pests Symposium organised by AUUG (Australian Unix and Open Systems Users Group)."Policy is a big issue," said Linich.

An internally developed tool called bumpety has proved very effective in detecting worm traffic at the University of New South Wales School of Computer Science and Engineering, but social issues have been a barrier to eliminating the cause, computing support officer Peter Linich told the Digital Pests Symposium organised by AUUG (Australian Unix and Open Systems Users Group).

"Policy is a big issue," said Linich. The School takes a hard line with users of its internal networks, and a system is disconnected immediately any infection is detected until its owner says it has been disinfected and patched. After a third disconnection, the owner must demonstrate that the hard disk has been reformatted, the operating system reinstalled and all patched before reconnection.

The School has adopted a 'good neighbour' policy in terms of ensuring that its systems do not impinge on other parts of the University and expects the same in return, even though bumpety tells the School's firewall to block traffic from infected hosts. Traffic is automatically unblocked when the worm traffic ceases. Unfortunately, some systems administrators outside the School do not act on the notifications generated by bumpety. Part of the problem is that the University's service desk staff are not appropriately skilled to deal with the issue, and no complete and current list of contacts for each computer exists. The School has partially overcome this by setting up a mailing list for system administrators -- by joining the list, they can see all bumpety notifications without waiting for them to trickle down through official channels.

Another aspect is that management often does not understand the seriousness of such security lapses. Linich suggests complainants keep a stake in the problem by repeating "our computers are being attacked -- do something!" often and indignantly until some action is taken. "Eventually, I have found, it wears them down," he said.

Before bumpety was created, 82 percent of TCP connections coming into the School were infection attempts, most of them originating on campus. New infections have fallen from up to 40 per day to between one and four, mostly involving wireless subnetworks, which Linich described as "festering cesspools of infection".

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All