Quarantine your infected users spreading malware

Frank Bulk frnkblk at iname.com
Tue Feb 21 01:45:06 UTC 2006




-----Original Message-----
From: Gadi Evron [mailto:ge at linuxbox.org] 
Sent: Monday, February 20, 2006 7:35 PM
To: frnkblk at iname.com
Cc: nanog at merit.edu
Subject: Re: Quarantine your infected users spreading malware

Frank Bulk wrote:
> We're one of those user/broadband ISPs, and I have to agree with the 
> other commentary that to set up an appropriate filtering system 
> (either user, port, or conversation) across all our internet access 
> platforms would be difficult.  Put it on the edge and you miss the 
> intra-net traffic, put it in the core and you need a box on every 
> router, which for a larger or graphically distributed ISPs could be
cost-prohibitive.

I have a question here, do you have repeat offenders in your abuse desk who
are of the malware-sort rather than bad people? Can these be put in a
specific group?

FB> Most of the repeat offenders tend to be people who lack the ability to
choose website judiciously, to put it kindly.  But when we encourage them to
get a pop-up blocker, update their antivirus (either the whole program or
definitions), and install a firewall (Windows XP or cheap NAT router), the
problem usually fades away.  Most "just didn't know" that their computer was
spewing forth spam or viruses, being used as a proxy, or part of some kind
of botnet.

> In relation to that ThreatNet model, we just could wish there was a 
> place we could quickly and accurately aggregate information about the 
> bad things our users are doing -- a combination of RBL listings, 
> abuse@, SenderBase, MyNetWatchman, etc.  We don't have our own traffic 
> monitoring and analysis system in place, and even if we did, I'm 
> afraid our work would still be very reactionary.
> 
> And for the record, we are one of those ISPs that blocks ports 139 and 
> 445 on our DSLAM and CMTS, and we've not received one complaint, but 
> I'm confident it has cut down on a host of infections.

Would you happen to have statistics on how far it did/didn't help reduce
abuse reports, tech support calls, etc.?

FB> We don't look at the logs for entries regarding ports 139/445, but when
we last looked it was a few unique IP addresses per day.  And due our size,
we have no idea how much it reduced abuse reports.  It's been in place for
several years.

> 
> Frank

	Gadi.




More information about the NANOG mailing list