Home page logo

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 21 Feb 2006 03:35:03 +0200

Frank Bulk wrote:
We're one of those user/broadband ISPs, and I have to agree with the other
commentary that to set up an appropriate filtering system (either user,
port, or conversation) across all our internet access platforms would be
difficult.  Put it on the edge and you miss the intra-net traffic, put it in
the core and you need a box on every router, which for a larger or
graphically distributed ISPs could be cost-prohibitive.

I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group?

In relation to that ThreatNet model, we just could wish there was a place we
could quickly and accurately aggregate information about the bad things our
users are doing -- a combination of RBL listings, abuse@, SenderBase,
MyNetWatchman, etc.  We don't have our own traffic monitoring and analysis
system in place, and even if we did, I'm afraid our work would still be very

And for the record, we are one of those ISPs that blocks ports 139 and 445
on our DSLAM and CMTS, and we've not received one complaint, but I'm
confident it has cut down on a host of infections.

Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.?




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]