Quarantine your infected users spreading malware

David Nolan vitroth+ at cmu.edu
Wed Mar 1 19:36:45 UTC 2006



--On Wednesday, March 01, 2006 11:42:01 -0600 Jack Bates 
<jbates at brightok.net> wrote:

>
> Do you find that web redirection actually stems the flow of calls to the
> helpdesk? We find that anything out of the normal usually results in a
> customer calling the helpdesk just because they weren't expecting it. We
> found this to be true of email notifications as well.

We believe it does help to an extent.  But more importantly to us the same 
system that sent the notices and quarantined the host also is tracking the 
incident.  Its visible to the help desk staff and the security staff, and 
searching there first when a user contacts us is standard procedure.  Prior 
to this system we were keeping track of suspended machines by hand or via 
email.  In the summer of 2003, when the big windows RPC vulnerability was 
out, and both Blaster and Welchia happened, we knew right away that we 
needed a system to track the *hundreds* of suspend/restore requests we were 
processing.  First it was just a tracking system, then it became a full 
automated notification and suspension system.

One of the things we do is send vulnerability notices for large scale OS 
vulnerabilities.  For example, for the Windows Print Spooler vulnerability, 
MS05-043, we scan our network multiple times a day and send notices to the 
owners of vulnerable machines.  The user/admin then has 24 hours to patch 
the machine and use the web app to tell us they did.  If they don't do so 
the machine is suspended.  Once suspended they can still use the web app to 
restore themselves.  However if we find a machine is still unpatched after 
we've been told it was patched we immediately suspend it.

> The other issue is,
> of course, differing what we are doing with those thousands of annoying
> ads that make users believe they are infected.
>

Well, once they're quarantined they should stop getting those ads and just 
get your quarantine notice, so that should be different, right?

-David





More information about the NANOG mailing list