Home page logo

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: Michael.Dillon () btradianz com
Date: Tue, 21 Feb 2006 13:46:21 +0000

When enough
"votes" have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.

Isn't there a risk of DoS though?  What's to prevent someone from
"spoofing" those signals and shutting down other users?

The signal would be encoded using a unique key. 
I would also expect that the choice of listening port
would be somehow randomized and registered in the central
registry to make it less of a DOS target.

precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system.  Thus leaving us in the same
situation as before.  Firewall?  I don't need no stinking firewall.. 

I see no reason why the user needs the ability to 
override or remove the software. After all, during
normal operation it does nothing at all therefore it
does not interfere in any way with machine operation.
The intent is to make it virtually impossible to 
remove this software so that a virus or worm cannot
remove it either.

Sure it does..  It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection

If the quarantined state keeps open a port 443 connection 
to a specific trusted webserver run by the group of trusted 
security researchers then the specifics of combatting the 
worm can be made available on that site. If necessary the 
site could upload ActiveX controls to do malware scans or 
recommend the installation of such software.

--Michael Dillon

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]