FBI tells the public to call their ISP for help

michael.dillon at bt.com michael.dillon at bt.com
Thu Jun 14 14:27:08 UTC 2007

> Since many Microsoft patches are only legally available via 
> the Internet, and an ISP can not predict which servers 
> Microsoft will use to distribute Microsoft patches, ISPs must 
> enable essentially full Internet access which includes access 
> for most worms.

Has anybody tried a firewalling solution in which unpatched PCs are only
able to access a special ISP-operated forwarding nameserver which is
configured to only reply with A records for a list of known Microsoft
update sites? And then have this specially patched nameserver also
trigger the firewall to open up access to the addresses that it returns
in A records?

According to Microsoft, their list of "trusted sites" for MS Update is
*.update.microsoft.com and download.windowsupdate.com. Even if they have
some sort of CDN (Content Delivery Network) with varying IP addresses
based on topology or load, this is still predictable enough for a
software solution to provide a temporary walled garden.

You don't need to make copies of their patch files. You don't need MS to
provide an out-of-band list of safe IP addresses. As long as you are
able to divert a subscriber's traffic through a special firewalled
garden, an ISP can implement this with no special support from MS. Wrap
this up with a GUI for your support-desk people to enable/disable the
traffic diversion and you have a low-cost solution. You can even
leverage the same technology to deal with botnet infestations although
you would probably want a separate firewalled garden that allows access
to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's
own pages, etc.

--Michael Dillon

More information about the NANOG mailing list