Quarantine your infected users spreading malware

Sean Donelan sean at donelan.com
Wed Feb 22 00:36:05 UTC 2006

On Tue, 21 Feb 2006 Valdis.Kletnieks at vt.edu wrote:
> If people actually *knew* how to do this differentiation any better than
> flipping the quarter I have in my pocket, we wouldn't be having this discussion.

Yep. Although it should have been obvious, a problem with quarantine
systems is most users can't validate an inline "trusted path" if the host
or something along the path may have been compromised.  Even if it hasn't
been totally compromised, the bad guys can impersonate the look and feel
of your quarantine system to lead your users down the walled garden path
of the bad guy's choosing. If you notify uses by e-mail, the bad guys can
make their e-mail look very similar.  If you notify users by web page
interception, the bad guys can make their web page pop-ups look like your
quarantine pages.  And so on.

So you are quickly back to out-of-band communication paths with the user.

A couple of years ago I was a big fan of inline quarantine systems.  And
for some things it may still work such as initial registration and setup
before an user's machine is compromised.  But I've changed my mind, or
rather the bad guys changed it for me, what the long term effectiveness
of inline quarantine systems of compromised systems can be.

More information about the NANOG mailing list