Response to Virus/Worm Attacks
August 15, 2001
In the past few months, Tufts, like most universities, has been hit by an increasing number of computer viruses and worms (e.g. SirCam, CodeRed, and Nimda). This upsurge, combined with our current system of contacting the owners of these machines, has ended up prolonging the problem and increasing the scope of infections.
Our policy has always been to take infected computers off the network, but until now we have attempted to contact owners first via phone or email to explain the situation. This often results in significant delays, and in many cases the user never responds, prompting us to take the machine off the network without his or her knowledge. This creates confusion all around as the owner and support staff attempt to trouble-shoot the connection. To resolve this situation, and provide a common source of information for infected machines, UIT will be modifying its response to worm infected machines. The changes involve several phases described below. Phase one will be implemented immediately while phases two and three will require more time and are subject to modification as we move forward with their technical implementation.
Phase 1:
Infected machines that pose a threat to the Tufts network will have their DHCP class changed from Staff, Student, or Public to Restricted and will be issued an IP address in the 172.18.0.0 netblock in overlays matching their 130.64.0.0 subnets. Much as our Pelican registration process "forces" clients to go to our registration page, the Restricted clients will be "forced" to a web page which explains that they have been blocked from using the network and provides support contact information.
Phase 2:
A Web page within the IPDB will be created to list which MAC addresses have been set to Restricted and the reason for restricting them. Until this is complete you can still do a search for any given MAC address to ascertain what its class is currently set to.
Phase 3:
The page, which the Restricted client is sent to, will contain information on why they have been restricted and provide contact information for support. This page will be personalized on a per-client basis to inform the user exactly why that machine has been restricted.
