Quarantine your infected users spreading malware

Bill Nash billn at odyssey.billn.net
Mon Feb 20 23:20:06 UTC 2006

On Tue, 21 Feb 2006, Gadi Evron wrote:

>>> Many ISP's who do care about issues such as worms, infected users 
>>> "spreading the love", etc. simply do not have the man-power to handle all 
>>> their infected users' population.
>> The ISPs will be a part of the solution.  However, ISPs fall into two major
>> categories:
>> 1) The ones that read the types of lists that you posted this to
>> 2) The ones that have the problem.
>> You're preaching to the choir, Gadi - and if there's *one* thing I'd like a
>> solution for, it's *that* problem.  How do you get the unwashed masses of 
>> ISPs
>> to join the choir so you can preach to them?
> What products that answer this are out there, and how good, in your 
> experience, are they?
> We discussed this here before non-conclusively and stayed on philosophy, 
> anyone has new experience on the subject?

Let's be clear in what we're addressing. Are we talking about an en masse 
quarantine of IP addresses sending the worm traffic, or identifying the 
C&C<->payload conversations and applying blocks accordingly?

Where are the anti-virus and software firewall vendors in this 
conversation? To be plain, this obviously isn't a problem you can solve 
with some border filters. The complexity, and fallout, from trying to put 
those kinds of filtering in is just too great. It's cumbersome to manage 
manually and operational impact is too great.

If we're going to philosophize about solutions, let's throw some ideas 
out. Where do concepts like ThreatNet fit into this notion? 
(http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet 
is to establish a closed threat sharing network with trusted peers, 
sharing information about malcontents doing things on your network that 
they shouldn't be. If you can positively identify SSH brute force sources, 
port scan patterns, worm traffic, spam sources, etc, and report them to 
trusted peers in a collaborative fashion, it becomes easier to support 
intelligent and rapid traffic filtering concepts in your network designs, 
where appropriate, even if it's something as simple as putting together a 
business case for filtering entire netblocks or regions. (Yes, I write my 
own analyzers, and yes, I'm involved peripherally with this project.) 
ThreatNet is still pretty nascent, but conceptually it's got merit.

I'll bring up MainNerve again since they're the only vendor I've worked 
with that's got tools for selectively filtering known troublemakers.

As a potential solution, I bring both of these items up because they 
provide the ability to take good, distributed intelligence gathering and 
apply them to your network in a precision manner, if at all, in accordance 
with any unique policies you may have. The problem, as I see it, is that 
even if one ISP sees the bad behaviour, there's no communication amongst 
the community (that I can see) to relay or collate the history. It's like 
playing Mom off against Dad because they never talk to each other. For 
coming up with clear patterns of abuse and shenanigans, we're suffering 
from collective myopia because we're ignoring an aspect of of our favorite 
big ass communications medium.

Or I'm completely off base, in which case tell me to shut up and I'll go 
back into my code coma.

- billn

More information about the NANOG mailing list