Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Quarantine your infected users spreading malware
From: Bob Beck <beck () bofh cns ualberta ca>
Date: Wed, 22 Feb 2006 08:13:24 -0700

As many of us know, handling such users on tech support is not very 
cost-effective to ISP's, as if a user makes a call the ISP already 
losses money on that user. Than again, paying abuse desk personnel just 
so that they can disconnect your users is losing money too.

Which one would you prefer?

from home :

# Training wheels for windows boxes. Stomp anything other than
# web ftp and ssh. If they need more they should run something else.
block in log on { $int_if, $wi_if }  proto tcp from any os Windows to any
pass in on { $int_if, $wi_if } proto tcp from any os Windows to any port { 80, 443, 22, 21 } keep state

Tricks like max states and an overflow table help too. 

But worrying about 139 and 445 is just hole du jour. Worrying only about
windows is OS du jour.  The real problem is not Aunty Jane. It's twofold:

        1) Aunty Jane is naiive and easily socially engineered
        2) Aunty Jane is running crap that can either be directly compromised,
           or that makes it easier to do 1) above.

Packet filtering customers by default will make no difference as more
and more bad software comes out that simply embeds itself in web
protocols and the like that you simply can't block arbitrarily and
stay in business.

Wait for the first good VOIP propagating worm (humming "woo hooo woo
hoo hooo....)



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]