Quarantine your infected users spreading malware
Gadi Evron
ge at linuxbox.org
Tue Feb 21 01:35:03 UTC 2006
Frank Bulk wrote:
> We're one of those user/broadband ISPs, and I have to agree with the other
> commentary that to set up an appropriate filtering system (either user,
> port, or conversation) across all our internet access platforms would be
> difficult. Put it on the edge and you miss the intra-net traffic, put it in
> the core and you need a box on every router, which for a larger or
> graphically distributed ISPs could be cost-prohibitive.
I have a question here, do you have repeat offenders in your abuse desk
who are of the malware-sort rather than bad people? Can these be put in
a specific group?
> In relation to that ThreatNet model, we just could wish there was a place we
> could quickly and accurately aggregate information about the bad things our
> users are doing -- a combination of RBL listings, abuse@, SenderBase,
> MyNetWatchman, etc. We don't have our own traffic monitoring and analysis
> system in place, and even if we did, I'm afraid our work would still be very
> reactionary.
>
> And for the record, we are one of those ISPs that blocks ports 139 and 445
> on our DSLAM and CMTS, and we've not received one complaint, but I'm
> confident it has cut down on a host of infections.
Would you happen to have statistics on how far it did/didn't help reduce
abuse reports, tech support calls, etc.?
Thanks!
>
> Frank
Gadi.
More information about the NANOG
mailing list