Home page logo

nanog logo nanog mailing list archives

Re: and here are some answers [was: Quarantine your infected users spreading malware]
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 21 Feb 2006 07:01:57 +0200

Sean Donelan wrote:
On Tue, 21 Feb 2006, Christopher L. Morrow wrote:

it's also not just a 'i got infected over the net' problem... where is
that sean when you need his nifty stats :) Something about no matter what
you filter grandpa-jones will find a way to click on the nekkid jiffs of
Anna Kournikova again :(

Give me (or CAIDA) permission to peak inside your networks and I'm sure
there are lots of nifty stats we could anonymize :)

The big mystery for me has always been the computers that are infected
BEFORE they are connected to the network for the first time (according
to their owners).  Its never repeatable, and never provable, but the
computer owner swears it happened.  In any case, the home computer is
owned by the home user, not the ISP or an employer or a media company.  If
you make something attractive enough to the user, he will find a way to
get it on his computer no matter how many roadblocks you try to put in
the way.

An ISP blocking one virus or worm doesn't change the end result.  Time
after time I've watched, the computers eventually get infected anyway.
Although it may appear to take longer or your NIDS may not pick up the
final signature.  Look at Adlex, Motive, Arbor, ISS, Microsoft and other
vendors for ideas I've used over several years and they are now selling.

On the other hand, the number of infected computers never seems to spiral
out of control. I've been wondering, instead of trying to figure out why
some computers get infected, should we be trying to figure out why most
computers don't become infected?

Comment only on last paragraph:
Many *home* computers do, quite a few *corporate* do as well, in my experience.

Even if they didn't the numbers we face are significant enough.


"Out of the box is where I live".
        -- Cara "Starbuck" Thrace, Battlestar Galactica.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]