Quarantine your infected users spreading malware

Bill Nash billn at odyssey.billn.net
Tue Feb 21 00:02:22 UTC 2006

While i'm not being told to shut up because this is off topic (yet), I'm 
going to suggest that people interested in continuing this conversation 
contact me off list and coordinate something ad hoc. The amount of 
bullshit I've already recieved in response to thinking that this has 
operational merit when it comes to mitigating both risk and effects is 
pretty astounding, even by nanog standards.


- billn

On Mon, 20 Feb 2006, Bill Nash wrote:

> On Tue, 21 Feb 2006, Gadi Evron wrote:
>>>> Many ISP's who do care about issues such as worms, infected users 
>>>> "spreading the love", etc. simply do not have the man-power to handle all 
>>>> their infected users' population.
>>> The ISPs will be a part of the solution.  However, ISPs fall into two 
>>> major
>>> categories:
>>> 1) The ones that read the types of lists that you posted this to
>>> 2) The ones that have the problem.
>>> You're preaching to the choir, Gadi - and if there's *one* thing I'd like 
>>> a
>>> solution for, it's *that* problem.  How do you get the unwashed masses of 
>>> ISPs
>>> to join the choir so you can preach to them?
>> What products that answer this are out there, and how good, in your 
>> experience, are they?
>> We discussed this here before non-conclusively and stayed on philosophy, 
>> anyone has new experience on the subject?
> Let's be clear in what we're addressing. Are we talking about an en masse 
> quarantine of IP addresses sending the worm traffic, or identifying the 
> C&C<->payload conversations and applying blocks accordingly?
> Where are the anti-virus and software firewall vendors in this conversation? 
> To be plain, this obviously isn't a problem you can solve with some border 
> filters. The complexity, and fallout, from trying to put those kinds of 
> filtering in is just too great. It's cumbersome to manage manually and 
> operational impact is too great.
> If we're going to philosophize about solutions, let's throw some ideas out. 
> Where do concepts like ThreatNet fit into this notion? 
> (http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is 
> to establish a closed threat sharing network with trusted peers, sharing 
> information about malcontents doing things on your network that they 
> shouldn't be. If you can positively identify SSH brute force sources, port 
> scan patterns, worm traffic, spam sources, etc, and report them to trusted 
> peers in a collaborative fashion, it becomes easier to support intelligent 
> and rapid traffic filtering concepts in your network designs, where 
> appropriate, even if it's something as simple as putting together a business 
> case for filtering entire netblocks or regions. (Yes, I write my own 
> analyzers, and yes, I'm involved peripherally with this project.) ThreatNet 
> is still pretty nascent, but conceptually it's got merit.
> I'll bring up MainNerve again since they're the only vendor I've worked with 
> that's got tools for selectively filtering known troublemakers.
> As a potential solution, I bring both of these items up because they provide 
> the ability to take good, distributed intelligence gathering and apply them 
> to your network in a precision manner, if at all, in accordance with any 
> unique policies you may have. The problem, as I see it, is that even if one 
> ISP sees the bad behaviour, there's no communication amongst the community 
> (that I can see) to relay or collate the history. It's like playing Mom off 
> against Dad because they never talk to each other. For coming up with clear 
> patterns of abuse and shenanigans, we're suffering from collective myopia 
> because we're ignoring an aspect of of our favorite big ass communications 
> medium.
> Or I'm completely off base, in which case tell me to shut up and I'll go back 
> into my code coma.
> - billn

More information about the NANOG mailing list