On Wed, 1 Mar 2006, Jack Bates wrote:
Christopher L. Morrow wrote:
snip
agreed, punting this problem to the helpdesk makes the helpdesk manager
grab his gun(s) and find the security wonk that put a hurtin' on his
numbers :) Also, it costs lots of money, which isn't generally a good
On Tue 28 Feb 2006 (19:29 +), Christopher L. Morrow wrote:
On Tue, 28 Feb 2006, Bill Nash wrote:
The simplest method is to issue a different gateway to a registry of known
offenders, forcing their into a restrictive environment that blocks all
ports, and uses network
On Wed 01 Mar 2006 (16:33 +), Christopher L. Morrow wrote:
On Wed, 1 Mar 2006, JP Velders wrote:
Date: Tue, 28 Feb 2006 18:50:29 + (GMT)
From: Christopher L. Morrow [EMAIL PROTECTED]
To: nanog@merit.edu
Subject: Re: Quarantine your infected users spreading malware
On Wed 01 Mar 2006 (11:42 -0600), Jack Bates wrote:
Christopher L. Morrow wrote:
snip
agreed, punting this problem to the helpdesk makes the helpdesk manager
grab his gun(s) and find the security wonk that put a hurtin' on his
numbers :) Also, it costs lots of money, which isn't generally
On Thu, Mar 02, 2006 at 07:57:14AM -0500, Robert E. Seastrom wrote:
Jim Segrave [EMAIL PROTECTED] writes:
You did think of contacting them and asking? You know, e-mail, fax,
telephone, that sort of thing?
Yes, we did think of that sort of thing. Those of us with even the
slightest
--On Tuesday, February 28, 2006 14:39:37 -0500 David Nolan
[EMAIL PROTECTED] wrote:
We a couple techniques at Carnegie Mellon, depending on the network
scenario.
The DHCP based technique outlined above requires no extra infrastructure,
just extra configuration, so it is what we use for
David Nolan wrote:
snip
(*): For anyone who doesn't know, URPF is essentially a way to do
automatic acls, comparing the source IP of on an incoming packet to the
routing table to verify the packet should have come from this
interface. With the right hardware this is significantly cheaper
Date: Tue, 28 Feb 2006 18:50:29 + (GMT)
From: Christopher L. Morrow [EMAIL PROTECTED]
To: nanog@merit.edu
Subject: Re: Quarantine your infected users spreading malware
On Tue, 28 Feb 2006, Jim Segrave wrote:
www.quarantainenet.nl
It puts them in a protected environment where
--On Wednesday, March 01, 2006 07:54:17 -0600 Jack Bates
[EMAIL PROTECTED] wrote:
David Nolan wrote:
snip
(*): For anyone who doesn't know, URPF is essentially a way to do
automatic acls, comparing the source IP of on an incoming packet to the
routing table to verify the packet should
On Wed, 1 Mar 2006, JP Velders wrote:
Date: Tue, 28 Feb 2006 18:50:29 + (GMT)
From: Christopher L. Morrow [EMAIL PROTECTED]
To: nanog@merit.edu
Subject: Re: Quarantine your infected users spreading malware
On Tue, 28 Feb 2006, Jim Segrave wrote:
www.quarantainenet.nl
--On Wednesday, March 01, 2006 11:42:01 -0600 Jack Bates
[EMAIL PROTECTED] wrote:
Do you find that web redirection actually stems the flow of calls to the
helpdesk? We find that anything out of the normal usually results in a
customer calling the helpdesk just because they weren't
On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote:
--On February 23, 2006 8:02:31 AM -0600 Jack Bates [EMAIL PROTECTED]
wrote:
We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was
On Tue, 28 Feb 2006, Jim Segrave wrote:
www.quarantainenet.nl
It puts them in a protected environment where they can get cleaned up
on-line without serious risk of re-infection. They can pop their
e-mail, reply via webmail, but they can't connect to anywhere except a
list of update sites.
The simplest method is to issue a different gateway to a registry of known
offenders, forcing their into a restrictive environment that blocks all
ports, and uses network translation tricks to redirect all web traffic to
a portal.
For cable modems and bridged DSL, you can do this with
On Tue, 28 Feb 2006, Bill Nash wrote:
The simplest method is to issue a different gateway to a registry of known
offenders, forcing their into a restrictive environment that blocks all
ports, and uses network translation tricks to redirect all web traffic to
a portal.
For cable modems
--On Tuesday, February 28, 2006 14:07:36 -0500 Bill Nash
[EMAIL PROTECTED] wrote:
The simplest method is to issue a different gateway to a registry of
known offenders, forcing their into a restrictive environment that blocks
all ports, and uses network translation tricks to redirect all
On 2/23/06, Andy Davidson [EMAIL PROTECTED] wrote:
And they don't care ! How is someone else telling them that they
need a virus checker going to change anything ?
It's not. That's why services such as AOL integrate it with the
system.. Granted, the user has to initially accept it, but it's
Andy Davidson wrote:
And they don't care ! How is someone else telling them that they need a
virus checker going to change anything ?
We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was
Heya,
Sorry about continuing this thread... I noticed a few people discussing
this topic and wondering about new ways to look at quarantining hosts.
There's a working group within the US Internet2 community that's been working
on a generalized architecture and set of white-papers that our
--On February 23, 2006 8:02:31 AM -0600 Jack Bates [EMAIL PROTECTED]
wrote:
We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was so high, we quickly changed to offline cleanup only. It will
Michael Loftis wrote:
What doesn't help is the ISPs out there who are complete dolts and first
don't verify reports and second false alarm. They'll cut a user off on
a single complaint without any evidence or verification. Or worse they
have some automated system that false alarms without
--On February 23, 2006 9:09:26 PM +0200 Gadi Evron [EMAIL PROTECTED] wrote:
I don't really see how any ISP will terminate an account for just one
complaint, after all, it's losing money..
We have seen a few good examples of pretty big ISP's who said here how
quarantine works for them.
Got
On 21 Feb 2006, at 16:26, Jason Frisvold wrote:
Key words there.. Large Provider .. I don't think A/V companies
have any interest whatsoever in smaller providers.. Just not a big
enough customer base I guess...
It would be nice to see an A/V provider willing to take that first
step and
Oh geez, here we go again... Search the archives and read
until you're content. It's a non-thread. This horse isn't
only dead, it's not even a grease spot on the road any more.
Are you saying that the problem of spreading worms
and botnets is fading? Where do you get your data on
this?
I
How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This
[EMAIL PROTECTED] wrote:
How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the
Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques to hide itself in the
user's machine, just like viruses do.
As the defense is local to the user's machine, the attacker can
How do you differentiate this infection from the ones
they've been preached to to avoid?
The same way that people currently differentiate
bad software from good software before they install
something on their machines.
--Michael Dillon
On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques
[EMAIL PROTECTED] wrote:
If AV software can protect itself this way, why
would anyone build an infection blocker using
any less protection?
AV software can *try* and protect itself in this and other ways, but
that is OT to NANOG. I don't mind discussing it in private though if
software
When enough
votes have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.
Isn't there a risk of DoS though? What's to prevent someone from
spoofing those signals and shutting down other users?
The
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote:
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
Offering them free software won't
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and update signatures
*every time* the user logs
On Tue, 21 Feb 2006 13:05:35 GMT, [EMAIL PROTECTED] said:
How do you differentiate this infection from the ones
they've been preached to to avoid?
The same way that people currently differentiate
bad software from good software before they install
something on their machines.
If
On Tue, 21 Feb 2006 10:42:20 EST, Jason Frisvold said:
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools.
No, just $24/month (or whatever it is now) for the whole service. You
go to a keyword and it does a web based installation widget. It is
free as long as you remain a subscriber.
I'm not familiar with how this works in AOL land.. Does the end-user
need to subscribe to anything other than
On Tuesday 21 February 2006 10:26, Jason Frisvold wrote:
On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Oddly enough, AOL and several other large providers seem to have no
problems advertising some variant on 'free A/V software'.
Key words there.. Large Provider .. I don't think
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and update signatures
*every time* the user logs in,
On Tue, 21 Feb 2006, Jason Frisvold wrote:
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
Big deal. You're talking about volume licensing at that point, and
offering vendors an opportunity to compete to get on every desktop in your
customer base. That's a big stick to negotiate with, especially if you're
an Earthlink or AOL.
Agreed.
On Tue, Feb 21, 2006 at 07:17:38AM +0200, Gadi Evron wrote:
[EMAIL PROTECTED] wrote:
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed...
[snip]
I'll update on these as I find out more on: http://blogs.securiteam.com
This write-up can be found here:
- Original Message Follows -
From: [EMAIL PROTECTED]
Oh geez, here we go again... Search the archives and
read until you're content. It's a non-thread. This
horse isn't only dead, it's not even a grease spot on
the road any more.
Are you saying that the problem of spreading
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill Nash wrote:
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote:
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the
- Original Message Follows -
From: Gadi Evron [EMAIL PROTECTED]
Many ISP's who do care about issues such as worms,
infected users spreading the love, etc. simply do not
have the man-power to handle all their infected users'
population.
Some who are user/broadband ISP's (not say,
[EMAIL PROTECTED] wrote:
On Mon, 20 Feb 2006 23:40:48 +0200, Gadi Evron said:
Many ISP's who do care about issues such as worms, infected users
spreading the love, etc. simply do not have the man-power to handle
all their infected users' population.
It is becoming more and more obvious
Oh geez, here we go again... Search the archives and
read until you're content. It's a non-thread. This
horse isn't only dead, it's not even a grease spot on
the road any more. :-(
I quite agree, which is why I trived to cover the
philosophical part from both sides. Now, how
scott, these are all just gadi's self-promotion ads. i recommend
procmail.
randy
On Tue, 21 Feb 2006, Gadi Evron wrote:
Many ISP's who do care about issues such as worms, infected users
spreading the love, etc. simply do not have the man-power to handle all
their infected users' population.
The ISPs will be a part of the solution. However, ISPs fall into two major
And I have a solution for bad drivers; required all manufacturers to fix the
steering wheel so that acknowledged bad drivers cannot turn the wheel to
make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny
them access to freeways.
ISPs should not police users, just like auto
We're one of those user/broadband ISPs, and I have to agree with the other
commentary that to set up an appropriate filtering system (either user,
port, or conversation) across all our internet access platforms would be
difficult. Put it on the edge and you miss the intra-net traffic, put it in
Frank Bulk wrote:
We're one of those user/broadband ISPs, and I have to agree with the other
commentary that to set up an appropriate filtering system (either user,
port, or conversation) across all our internet access platforms would be
difficult. Put it on the edge and you miss the intra-net
On 2/20/06, Edward W. Ray [EMAIL PROTECTED] wrote:
ISPs should not police users, just like auto manufacturers should not police
drivers. That is what driver's licenses are for.
So the state polices the drivers.. Should the state police the
internet as well? And how would that be
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed...
[snip]
I'll update on these as I find out more on: http://blogs.securiteam.com
This write-up can be found here:
http://blogs.securiteam.com/index.php/archives/312
Ah yes, the old self-promotion trick. You know, I get some ads
[EMAIL PROTECTED] wrote:
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed...
[snip]
I'll update on these as I find out more on: http://blogs.securiteam.com
This write-up can be found here:
http://blogs.securiteam.com/index.php/archives/312
Ah yes, the old self-promotion
54 matches
Mail list logo
