Automatic shutdown of infected network connections
Some universities such as Vanderbilt University are automatically shutting down network ports when they detected signature worm traffic. Almost 25% of the students' computers were detected as infected when they connected to the university network. http://www.vanderbilthustler.com/vnews/display.v/ART/2003/08/29/3f4eb4b3537e... How many ISPs disconnect infected computers from the network? Do you leave them connected because they are paying customers, and how else could they download the patch from microsoft?
On Fri, Aug 29, 2003 at 09:44:11PM -0400, Sean Donelan wrote:
How many ISPs disconnect infected computers from the network? Do you leave them connected because they are paying customers, and how else could they download the patch from microsoft?
Let's see... * I don't know how many, at minimum, those who receive court subpoenas telling them to. * Do you leave a user connected if they are in violation of your AUP and is wreaking havoc on your network and other networks? * Perhaps you could send a disk out? Or set them up in a sandbox-type LAN where they can only visit your internal disinfection site?
Sean Donelan wrote:
How many ISPs disconnect infected computers from the network? Do you leave them connected because they are paying customers, and how else could they download the patch from microsoft?
We disconnect after contact if they remain infected after 72 hours or once we determine contact won't be possible. User's are responsible for their own computers. We understand that many of them need the service in order to fix their systems. However, a line has to be drawn at some point. I want the 135 blocks removed, and in order to do that, the malicious packets must be reduced to a minimum. -Jack
On Fri, Aug 29, 2003 at 09:44:11PM -0400, Sean Donelan wrote:
Some universities such as Vanderbilt University are automatically shutting down network ports when they detected signature worm traffic. Almost 25% of the students' computers were detected as infected when they connected to the university network.
http://www.vanderbilthustler.com/vnews/display.v/ART/2003/08/29/3f4eb4b3537e...
How many ISPs disconnect infected computers from the network? Do you leave them connected because they are paying customers, and how else could they download the patch from microsoft?
I work for a cable modem provider. What we came up with is a modem config that allows http, pop, and smtp while cutting the allowed bandwidth to 56k upstream and 56k downstrem. This way they can still get the needed updates, but are not able to blast our network. Secondary effect is that customer will call in an complain about slow speeds, then our techs can tell them why, they are slow and inform them how to fix the problem. -- Jonathan Crockett Network Engineer Midcontinent Communications
On Tue, Sep 02, 2003 at 09:59:51AM -0500, Jonathan Crockett wrote:
I work for a cable modem provider. What we came up with is a modem config that allows http, pop, and smtp while cutting the allowed bandwidth to 56k upstream and 56k downstrem. This way they can still get the needed updates, but are not able to blast our network. Secondary effect is that customer will call in an complain about slow speeds, then our techs can tell them why, they are slow and inform them how to fix the problem.
Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k). Besides, have you ever tried updating an XP system at 56k? It could literally take days. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
On Tue, Sep 02, 2003 at 09:59:51AM -0500, Jonathan Crockett wrote:
I work for a cable modem provider. What we came up with is a modem config that allows http, pop, and smtp while cutting the allowed bandwidth to 56k upstream and 56k downstrem. This way they can still get the needed updates, but are not able to blast our network. Secondary effect is that customer will call in an complain about slow speeds, then our techs can tell them why, they are slow and inform them how to fix the problem.
Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k).
The modem _is_ the CPE. There's no load on the network; just CPU on the modem. "modem config" != "CMTS config".
Besides, have you ever tried updating an XP system at 56k? It could literally take days.
You may have a point there. -- Nathan Norman - Incanus Networking mailto:nnorman@incanus.net Perilous to all of us are the devices of an art deeper than we ourselves possess. -- Gandalf the Grey
On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote:
On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k).
The modem _is_ the CPE. There's no load on the network; just CPU on the modem. "modem config" != "CMTS config".
I think that's exactly what I said, perhaps you misread my comment. My point was that you're rate limiting and filtering customers for no reason when you have the ability to filter the attack vectors in a very effective and 'clean' way. You should consider leaving those ports filtered seeing how they're the #1 way for windows systems to be infected/hijacked. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
On Wed, Sep 03, 2003 at 10:45:26AM -0500, Matthew S. Hallacy wrote:
On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote:
[ Jonathan said "we are filtering and rate limiting at the modem" ... ]
On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
Why in the world would you do that? the DOCSIS specification allows for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k).
The modem _is_ the CPE. There's no load on the network; just CPU on the modem. "modem config" != "CMTS config".
I think that's exactly what I said, perhaps you misread my comment.
What you said is highlighted above. I don't think I misread it ... I may have misunderstood what you meant. Did you intend to take issue _only_ with rate limiting, as opposed to filtering, or are you taking issue with the broad filtering described, or both? i'm trying to parse "Why in the world ..." :-)
My point was that you're rate limiting and filtering customers for no reason when you have the ability to filter the attack vectors in a very effective and 'clean' way. You should consider leaving those ports filtered seeing how they're the #1 way for windows systems to be infected/hijacked.
The provider in question has a long-standing tradition of providing unfiltered access. Perhaps recent events will cause them to change their policy as you suggest. Personally I think it's a great idea. [ I'm no longer an employee of said provider ] Best regards, -- Nathan Norman - Incanus Networking mailto:nnorman@incanus.net This message cannot be considered spam, even though it is. Some law that never was enacted says so. -- Arkadiy Belousov
On Wed, Sep 03, 2003 at 10:12:16AM -0500, Nathan E Norman wrote:
What you said is highlighted above. I don't think I misread it ... I may have misunderstood what you meant. Did you intend to take issue _only_ with rate limiting, as opposed to filtering, or are you taking issue with the broad filtering described, or both? i'm trying to parse "Why in the world ..." :-)
I was taking issue with the "deny all, allow pop3, smtp, http, .." + rate limit approach, I did see the 'filtering at the modem' part, perhaps restating the ability of DOCSIS compliant CPE's was confusing. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Besides, have you ever tried updating an XP system at 56k? It could literally take days.
Yes, days if you have never updated the system at all or if you count minutes as days. And if you just bought a new system, it should have the big update (SP2) installed on the machine already, unless you're dealing with an incompetent PC manufacturer/reseller/whatever that likes to cut corners (say something idiotic like buying plain XP OEM CDs instead of XP+SP2 OEM CDs because it saves them $1-3 per seat from some gray distributor) or not stay up to speed on MS security because they don't want to deal with after-sale support or provide it. Right now, Windows XP says I'm "Connected at 50.6Kbps", and there are no annoying "There are critical updates available for your system" nag messages beaming from the taskbar.
At 10:41 AM 03/09/2003 -0400, Omachonu Ogali wrote:
And if you just bought a new system, it should have the big update (SP2) installed on the machine already, unless you're dealing with an incompetent PC manufacturer/reseller/whatever that likes to cut corners (say something idiotic like buying plain XP OEM CDs instead of XP+SP2 OEM CDs because it saves them $1-3 per seat from some gray distributor) or not stay up to speed on MS security because they don't want to deal with after-sale support or provide it.
FYI, the last 3 Dell laptops we bought (2 weeks ago) all needed about 56MB of patches OOTB ---Mike
In article <5.2.0.9.0.20030903104933.03fa9db0@209.112.4.2>, Mike Tancsa <mike@sentex.net> writes
FYI, the last 3 Dell laptops we bought (2 weeks ago) all needed about 56MB of patches OOTB
That's exactly the same as I needed for a copy of XP-Upgrade I bought in a high-turnover retail store (Staples, in USA) last week. -- Roland Perry
Sean Donelan wrote:
How many ISPs disconnect infected computers from the network? Do you leave them connected because they are paying customers, and how else could they download the patch from microsoft?
As an aside: As a corporation (no customers per-se), we disconnect infected computers _completely_ (via remote router/switch control tools). We can do it automatically (via various detectors), but usually do it manually. This is primarily to maintain service levels with non-infected stuff. Fixing the computer is usually done by support staff. Via CD if it's unsafe to reconnect the machine to the net. If we get infested bad enough, we block the attack ports subnet-by-subnet as necessary until we've sterilized the subnet.
participants (9)
-
Chris Lewis
-
Jack Bates
-
Jonathan Crockett
-
Matthew S. Hallacy
-
Mike Tancsa
-
Nathan E Norman
-
Omachonu Ogali
-
Roland Perry
-
Sean Donelan