Quarantine your infected users spreading malware

Bill Nash billn at odyssey.billn.net
Tue Feb 21 15:25:05 UTC 2006

On Tue, 21 Feb 2006, Michael.Dillon at btradianz.com wrote:

> Why not just bypass them and go direct to the unwashed
> masses of end users? Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program

Offering them free software won't work to the levels you want. At first, 
you'll get a response, because consumers always jump at free shiny things, 
until something happens that makes them not like it anymore, and then 
they'll dig in and never use it again. If you want to get this kind of 
filtering into your core, you have a need to get this to a compulsory 
level for access.

I don't think there's any disagreement as to the roots of this problem:
- Modern users are generally clueless.
- Most don't have firewalls or even the most basic of protections.
- Getting tools deployed where they need to be most is the hardest.

With that said..

If you're talking about a compulsory software solution, why not, as an 
ISP, go back to authenticated activity? Distribute PPPOE clients mated 
with common anti-spyware/anti-viral tools. Pull down and update signatures 
*every time* the user logs in, and again periodically while the user is 
logged in (for those that never log out). Require these safeguards to be 
active before they can pass the smallest traffic.

The change in traffic flow would necessitate some architecture kung fu, 
maybe even AOL style, but you'd have the option of selectively picking out 
reported malicious/infected users (*cough* ThreatNet *cough*) and routing 
them through packet inspection frameworks on a case by case basis. Quite 
possibly, you could even automate that and the users would never be the 

- billn

More information about the NANOG mailing list