There has been degraded off campus Internet network connectivity for the UBC Vancouver site since Tuesday December 30, 2008. The cause appears to be from hundreds of MS Windows computers on campus which became infected with a worm (W32.Downadup) around this time. The effect of the worm is that the infected hosts are continually scanning on TCP port 445. This port is blocked for most of the campus networks with filters at the border routers on a per network basis. Department network administrators add this as part of the Ã¢â‚¬Ëœborder-block-smbÃ¢â‚¬â„¢ filter (includes TCP port 445 for NETBIOS services) through the Transmogrifier. The sheer volume of the scanning traffic and the size of the filters is overwhelming the physical capabilities of the Internet border routers. This causes the routers to drop network traffic which has manifested in noticeably degraded off campus Internet network connectivity.
The worm is an exploit of MS Windows RPC (MS08-067) which was patched in October by Microsoft.
There has been degraded off campus Internet network connectivity for the UBC Vancouver site during this time. ResNet and UBC Okanagan services have not been affected by this incident.
As of 17:00 Sunday, January 4 2009, all NETBIOS traffic will be dropped at the border routers (includes UDP and TCP ports 42, 135, 137, 138, 139, and 445). This is already in place for the majority of networks and must be extended to all of the networks to restore Internet connectivity for the campus.
Departments may have some applications relying on NETBIOS services. If so, the block can be removed for specific networks which require it. Department network administrators, please forward incident reports after 17:00 January 4 to the NOC (firstname.lastname@example.org) for follow up.
The W32.Downadup worm appears to be detected by Sophos. Please confirm that your department hosts have current MS Windows patches and Sophos updates. Questions and reports on IT security issues can be sent to email@example.com.
The NMC will be following up on Monday January 5th directly with department administrators for which we have detected an infected system.
Following are references on this exploit.