Quarantine your infected users spreading malware

Wed Mar 1 13:37:08 UTC 2006

--On Tuesday, February 28, 2006 14:39:37 -0500 David Nolan 
<vitroth+ at cmu.edu> wrote:

> We a couple techniques at Carnegie Mellon, depending on the network
> scenario.
>
> The DHCP based technique outlined above requires no extra infrastructure,
> just extra configuration, so it is what we use for most of our campus
> wired networks.  We use the same setup as our registration helper
> network, so our internal name for the DHCP based quarantine system is
> called QuickReg.  An unknown or banned client gets an address in 1918
> space and can only access our abuse tracking, patch download and network
> registration systems.

Following up my own post.  I know, its always bad ettiquete, but I forgot 
to mention something.

We're also using an active suspension mechanism for these networks to block 
clients with current valid DHCP leases instantly.  We use Unicast Reverse 
Path Filtering (*) and /32 host routes injected into our OSPF cloud via 
quagga (ospf routing daemon on a unix server).

This means a suspended host loses all network connectivity immediately, 
until they re-dhcp, at which point they'll have a rfc1918 address and have 
access to the quarantine network.  This also handles the occasional 
statically configured host.

We can also use this system to filter external hosts without having to 
manipulate border router acls frequently.

(*): For anyone who doesn't know, URPF is essentially a way to do automatic 
acls, comparing the source IP of on an incoming packet to the routing table 
to verify the packet should have come from this interface.  With the right 
hardware this is significantly cheaper then acl processing.  And its 
certainly easier to maintain.  And by injecting a /32 null route into the 
route table you can cause a host's local router to start discarding all 
traffic from that IP.

-David Nolan
 Network Software Designer
 Computing Services
 Carnegie Mellon University