Quarantine your infected users spreading malware
Frank Bulk
frnkblk at iname.com
Tue Feb 21 01:45:06 UTC 2006
-----Original Message-----
From: Gadi Evron [mailto:ge at linuxbox.org]
Sent: Monday, February 20, 2006 7:35 PM
To: frnkblk at iname.com
Cc: nanog at merit.edu
Subject: Re: Quarantine your infected users spreading malware
Frank Bulk wrote:
> We're one of those user/broadband ISPs, and I have to agree with the
> other commentary that to set up an appropriate filtering system
> (either user, port, or conversation) across all our internet access
> platforms would be difficult. Put it on the edge and you miss the
> intra-net traffic, put it in the core and you need a box on every
> router, which for a larger or graphically distributed ISPs could be
cost-prohibitive.
I have a question here, do you have repeat offenders in your abuse desk who
are of the malware-sort rather than bad people? Can these be put in a
specific group?
FB> Most of the repeat offenders tend to be people who lack the ability to
choose website judiciously, to put it kindly. But when we encourage them to
get a pop-up blocker, update their antivirus (either the whole program or
definitions), and install a firewall (Windows XP or cheap NAT router), the
problem usually fades away. Most "just didn't know" that their computer was
spewing forth spam or viruses, being used as a proxy, or part of some kind
of botnet.
> In relation to that ThreatNet model, we just could wish there was a
> place we could quickly and accurately aggregate information about the
> bad things our users are doing -- a combination of RBL listings,
> abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic
> monitoring and analysis system in place, and even if we did, I'm
> afraid our work would still be very reactionary.
>
> And for the record, we are one of those ISPs that blocks ports 139 and
> 445 on our DSLAM and CMTS, and we've not received one complaint, but
> I'm confident it has cut down on a host of infections.
Would you happen to have statistics on how far it did/didn't help reduce
abuse reports, tech support calls, etc.?
FB> We don't look at the logs for entries regarding ports 139/445, but when
we last looked it was a few unique IP addresses per day. And due our size,
we have no idea how much it reduced abuse reports. It's been in place for
several years.
>
> Frank
Gadi.
More information about the NANOG
mailing list