mailing list archives
Re: Quarantine your infected users spreading malware
From: Bill Nash <billn () odyssey billn net>
Date: Mon, 20 Feb 2006 18:20:06 -0500 (EST)
On Tue, 21 Feb 2006, Gadi Evron wrote:
Many ISP's who do care about issues such as worms, infected users
"spreading the love", etc. simply do not have the man-power to handle all
their infected users' population.
The ISPs will be a part of the solution. However, ISPs fall into two major
1) The ones that read the types of lists that you posted this to
2) The ones that have the problem.
You're preaching to the choir, Gadi - and if there's *one* thing I'd like a
solution for, it's *that* problem. How do you get the unwashed masses of
to join the choir so you can preach to them?
What products that answer this are out there, and how good, in your
experience, are they?
We discussed this here before non-conclusively and stayed on philosophy,
anyone has new experience on the subject?
Let's be clear in what we're addressing. Are we talking about an en masse
quarantine of IP addresses sending the worm traffic, or identifying the
C&C<->payload conversations and applying blocks accordingly?
Where are the anti-virus and software firewall vendors in this
conversation? To be plain, this obviously isn't a problem you can solve
with some border filters. The complexity, and fallout, from trying to put
those kinds of filtering in is just too great. It's cumbersome to manage
manually and operational impact is too great.
If we're going to philosophize about solutions, let's throw some ideas
out. Where do concepts like ThreatNet fit into this notion?
(http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet
is to establish a closed threat sharing network with trusted peers,
sharing information about malcontents doing things on your network that
they shouldn't be. If you can positively identify SSH brute force sources,
port scan patterns, worm traffic, spam sources, etc, and report them to
trusted peers in a collaborative fashion, it becomes easier to support
intelligent and rapid traffic filtering concepts in your network designs,
where appropriate, even if it's something as simple as putting together a
business case for filtering entire netblocks or regions. (Yes, I write my
own analyzers, and yes, I'm involved peripherally with this project.)
ThreatNet is still pretty nascent, but conceptually it's got merit.
I'll bring up MainNerve again since they're the only vendor I've worked
with that's got tools for selectively filtering known troublemakers.
As a potential solution, I bring both of these items up because they
provide the ability to take good, distributed intelligence gathering and
apply them to your network in a precision manner, if at all, in accordance
with any unique policies you may have. The problem, as I see it, is that
even if one ISP sees the bad behaviour, there's no communication amongst
the community (that I can see) to relay or collate the history. It's like
playing Mom off against Dad because they never talk to each other. For
coming up with clear patterns of abuse and shenanigans, we're suffering
from collective myopia because we're ignoring an aspect of of our favorite
big ass communications medium.
Or I'm completely off base, in which case tell me to shut up and I'll go
back into my code coma.