Quarantine your infected users spreading malware

Frank Bulk frnkblk at iname.com
Tue Feb 21 01:30:39 UTC 2006

We're one of those user/broadband ISPs, and I have to agree with the other
commentary that to set up an appropriate filtering system (either user,
port, or conversation) across all our internet access platforms would be
difficult.  Put it on the edge and you miss the intra-net traffic, put it in
the core and you need a box on every router, which for a larger or
graphically distributed ISPs could be cost-prohibitive.

In relation to that ThreatNet model, we just could wish there was a place we
could quickly and accurately aggregate information about the bad things our
users are doing -- a combination of RBL listings, [email protected], SenderBase,
MyNetWatchman, etc.  We don't have our own traffic monitoring and analysis
system in place, and even if we did, I'm afraid our work would still be very

And for the record, we are one of those ISPs that blocks ports 139 and 445
on our DSLAM and CMTS, and we've not received one complaint, but I'm
confident it has cut down on a host of infections.


-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of Gadi
Sent: Monday, February 20, 2006 3:41 PM
To: nanog at merit.edu
Subject: Quarantine your infected users spreading malware

Many ISP's who do care about issues such as worms, infected users "spreading
the love", etc. simply do not have the man-power to handle all their
infected users' population.

It is becoming more and more obvious that the answer may not be at the ISP's
doorstep, but the ISP's are indeed a critical part of the solution. What
their eventual role in user safety will be I can only guess, but it is clear
(to me) that this subject is going to become a lot "hotter" in coming years.

Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average
user) is your biggest risk to the Internet today, and how to fix the user
non of us have a good idea quite yet. Especially since it's not quite one as
I put in an Heinlein quote below.

Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be
against it: "don't be the Internet's Firewall") are blocking ports such as
139 and 445 for a long time now, successfully preventing many of their users
from becoming infected. This is also an excellent first step for responding
to relevant outbreaks and halting their progress.

Philosophy aside, it works. It stops infections. Period.

Back to the philosophy, there are some other solutions as well. Plus, should
this even be done?

One of them has been around for a while, but just now begins to mature: 
Quarantining your users.

Infected users quarantine may sound a bit harsh, but consider; if a user is
indeed infected and does "spread the joy" on your network as well as
others', and you could simply firewall him (or her) out of the world (VLAN,
other solutions which may be far better) letting him (or her) go only to a
web page explaining the problem to them, it's pretty nifty.

As many of us know, handling such users on tech support is not very
cost-effective to ISP's, as if a user makes a call the ISP already losses
money on that user. Than again, paying abuse desk personnel just so that
they can disconnect your users is losing money too.

Which one would you prefer?

Jose (Nazario) points to many interesting papers on the subject on his
blog: http://www.wormblog.com/papers/

Is it the ISP's place to do this? Should the ISP do this? Does the ISP have
a right to do this?

If the ISP is nice enough to do it, and users know the ISP might. Why not?

This (as well as port blocking) is more true for organizations other than
ISP's, but if they are indeed user/broadband ISP's, I see this as both the
effective and the ethical thing to do if the users are notified this might
happen when they sign their contracts. Then all the "don't be the Internet's
firewall" debate goes away.

I respect the "don't be the Internet's firewall issue", not only for the
sake of the cause but also because friends such as Steven Bellovin and other
believe in them a lot more strongly than I do. Bigger issues such as the
safety of the Internet exist now. That doesn't mean user rights are to be
ignored, but certainly so shouldn't ours, especially if these are mostly

I believe both are good and necessary solutions, but every organization
needs to choose what is best for it, rather than follow some pre-determined
blueprint. What's good for one may be horrible for another.

"You don't approve? Well too bad, we're in this for the species boys and
girls. It's simple numbers, they have more and every day I have to make
decisions that send hundreds of people, like you, to their deaths." -- Carl
Jenkins, Starship Trooper, the movie.
I don't think the second part of the quote is quite right (to say the
least), but I felt bad leaving it out, it's Heinlein after all... anyone who
claims he is a fascist though will have to deal with me. :) This isn't only
about users, it's about the bad guys and how they out-number us, too. They
have far better cooperation to boot.

There are several such products around and they have been discussed here on
NANOG before, but I haven't tried them myself as of yet, so I can't really
recommend any of them. Can you?

I'll update on these as I find out more on: http://blogs.securiteam.com

This write-up can be found here: 



"Out of the box is where I live".
	-- Cara "Starbuck" Thrace, Battlestar Galactica.

More information about the NANOG mailing list