Quarantine your infected users spreading malware

David Nolan vitroth+ at cmu.edu
Tue Feb 28 19:39:37 UTC 2006



--On Tuesday, February 28, 2006 14:07:36 -0500 Bill Nash 
<billn at odyssey.billn.net> wrote:

> The simplest method is to issue a different gateway to a registry of
> known offenders, forcing their into a restrictive environment that blocks
> all ports, and uses network translation tricks to redirect all web
> traffic to a portal.
>
> For cable modems and bridged DSL, you can do this with DHCP, matching
> their MAC address. PPPOE/DSL or similiar, you match on user name. Issue
> RFC1918 space with a gateway to your quarantine network.
>
> The rest is NAT/PAT and w3proxy stunts. You could pull it off with
> something as simple as iptables and squid, after dealing with the DHCP or
> authentication servers (ala Radius) to issue to the correct credentials.
>

We a couple techniques at Carnegie Mellon, depending on the network 
scenario.

The DHCP based technique outlined above requires no extra infrastructure, 
just extra configuration, so it is what we use for most of our campus wired 
networks.  We use the same setup as our registration helper network, so our 
internal name for the DHCP based quarantine system is called QuickReg.  An 
unknown or banned client gets an address in 1918 space and can only access 
our abuse tracking, patch download and network registration systems.

But on our campus wireless network we use a inline filter system we call 
AuthBridge, based on ebtables and iptables, to filter & redirect any 
traffic from unknown/banned clients.  This system provides a more seamless 
user experience, but requires a layer-2 aggregation point where you can 
pass the traffic through the filter host.  Because our wireless is a single 
campus wide layer-2 network this is more feasible for that network.

Both of these systems are integrated with CMU's DHCP & DNS Management 
system, NetReg. (not to be confused with Southwestern University's NetReg. 
Different systems...)  The DHCP helper system is a builtin feature, while 
the AuthBridge system is an add on.   (AuthBridge just went through a 
complete rewrite to use the standard ebtables/iptables in Linux 2.6, and a 
public release should be available soon...)

For information on NetReg, QuickReg or AuthBridge, see:
http://www.net.cmu.edu/netreg
http://acs-wiki.andrew.cmu.edu/twiki/bin/view/Netreg/WebHome
http://acs-wiki.andrew.cmu.edu/twiki/bin/view/Netreg/NetRegManualDesign#Qui
ckReg
http://acs-wiki.andrew.cmu.edu/twiki/bin/view/Netreg/AuthBridge

(Our abuse tracking system also integrates with NetReg, so going from an 
external incident report to a machine suspension and email to the user & 
admins is as simple as dropping an IP and timestamp into a web form...)

-David Nolan
 Network Software Designer
 Computing Services
 Carnegie Mellon University




More information about the NANOG mailing list