We got so sick of dealing with Nachi that we stepped up deployment of a uRPF-based blackhole routing system campus wide. Now when the flows show something abnormal, we just blackhole the offending computer and auto-generate and email to the admins of that IP space and then send them auto nag-grams every day or two to remind them the IP is still blocked. Once we get word that they've done something, the IP is removed. Using uRPF in this manner has REALLY made it easy to sugically remove compromised hosts without having to use ACLs or turn off entire department interfaces. We developed a web-based front end to allow IPs to be added and removed easyily along with space to enter some notes regarding the action where you can paste in flow information and the like. Education only works so far. Sooner or later you just need a big clue-by-four. What I love is when departments (against campus policy) install giant NAT firewalls and so, of course, we block the NATted IP and invariably kill 20 or 30 machines behind it. On Fri, 7 Nov 2003, Sean Donelan wrote:
Almost half of all student computers on Dartmouth's campus have been infected by the Nachi/Welchia worm. If student's do not fix their computers by November 11 (nearly four months after Microsoft released the original patch), Dartmouth will turn off the student's network access.
http://www.thedartmouth.com/article.php?aid=2003110701020
Has anyone figured out a way to get computer users to fix their computers other than fixing the computer for them?