mailing list archives
Re: Quarantine your infected users spreading malware
From: Bill Nash <billn () odyssey billn net>
Date: Mon, 20 Feb 2006 19:02:22 -0500 (EST)
While i'm not being told to shut up because this is off topic (yet), I'm
going to suggest that people interested in continuing this conversation
contact me off list and coordinate something ad hoc. The amount of
bullshit I've already recieved in response to thinking that this has
operational merit when it comes to mitigating both risk and effects is
pretty astounding, even by nanog standards.
On Mon, 20 Feb 2006, Bill Nash wrote:
On Tue, 21 Feb 2006, Gadi Evron wrote:
Many ISP's who do care about issues such as worms, infected users
"spreading the love", etc. simply do not have the man-power to handle all
their infected users' population.
The ISPs will be a part of the solution. However, ISPs fall into two
1) The ones that read the types of lists that you posted this to
2) The ones that have the problem.
You're preaching to the choir, Gadi - and if there's *one* thing I'd like
solution for, it's *that* problem. How do you get the unwashed masses of
to join the choir so you can preach to them?
What products that answer this are out there, and how good, in your
experience, are they?
We discussed this here before non-conclusively and stayed on philosophy,
anyone has new experience on the subject?
Let's be clear in what we're addressing. Are we talking about an en masse
quarantine of IP addresses sending the worm traffic, or identifying the
C&C<->payload conversations and applying blocks accordingly?
Where are the anti-virus and software firewall vendors in this conversation?
To be plain, this obviously isn't a problem you can solve with some border
filters. The complexity, and fallout, from trying to put those kinds of
filtering in is just too great. It's cumbersome to manage manually and
operational impact is too great.
If we're going to philosophize about solutions, let's throw some ideas out.
Where do concepts like ThreatNet fit into this notion?
(http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is
to establish a closed threat sharing network with trusted peers, sharing
information about malcontents doing things on your network that they
shouldn't be. If you can positively identify SSH brute force sources, port
scan patterns, worm traffic, spam sources, etc, and report them to trusted
peers in a collaborative fashion, it becomes easier to support intelligent
and rapid traffic filtering concepts in your network designs, where
appropriate, even if it's something as simple as putting together a business
case for filtering entire netblocks or regions. (Yes, I write my own
analyzers, and yes, I'm involved peripherally with this project.) ThreatNet
is still pretty nascent, but conceptually it's got merit.
I'll bring up MainNerve again since they're the only vendor I've worked with
that's got tools for selectively filtering known troublemakers.
As a potential solution, I bring both of these items up because they provide
the ability to take good, distributed intelligence gathering and apply them
to your network in a precision manner, if at all, in accordance with any
unique policies you may have. The problem, as I see it, is that even if one
ISP sees the bad behaviour, there's no communication amongst the community
(that I can see) to relay or collate the history. It's like playing Mom off
against Dad because they never talk to each other. For coming up with clear
patterns of abuse and shenanigans, we're suffering from collective myopia
because we're ignoring an aspect of of our favorite big ass communications
Or I'm completely off base, in which case tell me to shut up and I'll go back
into my code coma.