Home page logo
/

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: Bill Nash <billn () odyssey billn net>
Date: Tue, 21 Feb 2006 11:35:44 -0500 (EST)



On Tue, 21 Feb 2006, Jason Frisvold wrote:

On 2/21/06, Bill Nash <billn () odyssey billn net> wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and update signatures
*every time* the user logs in, and again periodically while the user is
logged in (for those that never log out). Require these safeguards to be
active before they can pass the smallest traffic.

Cost prohibitive..  In order to do that you'll need licenses from the
AV companies..

Big deal. You're talking about volume licensing at that point, and offering vendors an opportunity to compete to get on every desktop in your customer base. That's a big stick to negotiate with, especially if you're an Earthlink or AOL.

The change in traffic flow would necessitate some architecture kung fu,
maybe even AOL style, but you'd have the option of selectively picking out
reported malicious/infected users (*cough* ThreatNet *cough*) and routing
them through packet inspection frameworks on a case by case basis. Quite
possibly, you could even automate that and the users would never be the
wiser.

And then the privacy zealots would be livid..  Silently re-routing
traffic like that..  How dare you suggest such a ... wait..  hrm..
The internet basically does this already..  I wonder if the zealots
are aware of that..  :)

Yeah, the privacy zealots, of which I'm one, don't have much of a leg to stand on, since as the direct service provider, you'd be directly within AUP/Contractually provided rights to do so, under that particular service model. They can't ding you for being active in your *response* to complaints about malicious activity sourced from your network, and taking the time to verify it. So long as you're keeping their personal information out of the hands of others, they don't have much to bitch about.

The ISPs win because they've got ready means to tie complaints directly back to an active customer, AND verify the complaint. Consumers win because they've got cheap anti-virus they still don't have to do anything about. The internet wins because ISPs are sharing non-personally identifying information about naughty behaviour and maybe increasing the mean TTL for new Windows machines. In the long term, privacy advocates win because networks have implemented active responses to attacks that routinely lead to identity theft.

The biggest hole I see in this concept is home routers that do NAT (linksys, linux boxes, etc). While capable of PPPOE, you can't quite mandate the A/V clients. You still have the option of doing packet inspection, which is still better than nothing.

- billn


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault