Quarantaine network for infected hosts?

Hani Mustafa hani.mustafa at noorgroup.net
Mon Dec 1 19:03:35 UTC 2003


> I wrote up a quick note on what we do at:
> 	http://www.roxanne.org/~eric/blaster.html

Quote from "Known Issues":

"One of the unfortunate side effects of it is that some spyware/adware either overrides your DNS settings with their own or makes an HTTP call to their website before allowing the browser to download a page normally."

A different way to tackle this problem (instead of the dns views approach), is to do it at a lower level. Something like Cisco's SSG (*) can be used to do the equivilant of DNAT for a specified set of source addressees.

This being a static configuration, I wonder if SSG's original purpose can be used as a solution which does not need DHCP. In this case, all network users would, by default, be redirected to a "verification website" (whatever verification method is used to determine whether this host is infected), after which the user is allowed to pass through the gateway without manipulating the packets IF the box was confirmed clean.

On a seperate note, with the complexity of setting up ssg aside, you can easily implement something like this using iptables' REDIRECT target. ("iptables -s -j REDIRECT ..." or something)

~Hani Mustafa

(*) http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/ssgw_ds.htm

More information about the NANOG mailing list