On Wed, 1 Mar 2006, Jack Bates wrote:
Christopher L. Morrow wrote:
snip
agreed, punting this problem to the helpdesk makes the helpdesk manager
grab his gun(s) and find the security wonk that put a hurtin' on his
numbers :) Also, it costs lots of money, which isn't generally a good
On Tue 28 Feb 2006 (19:29 +), Christopher L. Morrow wrote:
On Tue, 28 Feb 2006, Bill Nash wrote:
The simplest method is to issue a different gateway to a registry of known
offenders, forcing their into a restrictive environment that blocks all
ports, and uses network
On Wed 01 Mar 2006 (16:33 +), Christopher L. Morrow wrote:
On Wed, 1 Mar 2006, JP Velders wrote:
Date: Tue, 28 Feb 2006 18:50:29 + (GMT)
From: Christopher L. Morrow [EMAIL PROTECTED]
To: nanog@merit.edu
Subject: Re: Quarantine your infected users spreading malware
On Wed 01 Mar 2006 (11:42 -0600), Jack Bates wrote:
Christopher L. Morrow wrote:
snip
agreed, punting this problem to the helpdesk makes the helpdesk manager
grab his gun(s) and find the security wonk that put a hurtin' on his
numbers :) Also, it costs lots of money, which isn't generally
On Thu, Mar 02, 2006 at 07:57:14AM -0500, Robert E. Seastrom wrote:
Jim Segrave [EMAIL PROTECTED] writes:
You did think of contacting them and asking? You know, e-mail, fax,
telephone, that sort of thing?
Yes, we did think of that sort of thing. Those of us with even the
slightest
--On Tuesday, February 28, 2006 14:39:37 -0500 David Nolan
[EMAIL PROTECTED] wrote:
We a couple techniques at Carnegie Mellon, depending on the network
scenario.
The DHCP based technique outlined above requires no extra infrastructure,
just extra configuration, so it is what we use for
David Nolan wrote:
snip
(*): For anyone who doesn't know, URPF is essentially a way to do
automatic acls, comparing the source IP of on an incoming packet to the
routing table to verify the packet should have come from this
interface. With the right hardware this is significantly cheaper
Date: Tue, 28 Feb 2006 18:50:29 + (GMT)
From: Christopher L. Morrow [EMAIL PROTECTED]
To: nanog@merit.edu
Subject: Re: Quarantine your infected users spreading malware
On Tue, 28 Feb 2006, Jim Segrave wrote:
www.quarantainenet.nl
It puts them in a protected environment where
--On Wednesday, March 01, 2006 07:54:17 -0600 Jack Bates
[EMAIL PROTECTED] wrote:
David Nolan wrote:
snip
(*): For anyone who doesn't know, URPF is essentially a way to do
automatic acls, comparing the source IP of on an incoming packet to the
routing table to verify the packet should
On Wed, 1 Mar 2006, JP Velders wrote:
Date: Tue, 28 Feb 2006 18:50:29 + (GMT)
From: Christopher L. Morrow [EMAIL PROTECTED]
To: nanog@merit.edu
Subject: Re: Quarantine your infected users spreading malware
On Tue, 28 Feb 2006, Jim Segrave wrote:
www.quarantainenet.nl
--On Wednesday, March 01, 2006 11:42:01 -0600 Jack Bates
[EMAIL PROTECTED] wrote:
Do you find that web redirection actually stems the flow of calls to the
helpdesk? We find that anything out of the normal usually results in a
customer calling the helpdesk just because they weren't
On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote:
--On February 23, 2006 8:02:31 AM -0600 Jack Bates [EMAIL PROTECTED]
wrote:
We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was
On Tue, 28 Feb 2006, Jim Segrave wrote:
www.quarantainenet.nl
It puts them in a protected environment where they can get cleaned up
on-line without serious risk of re-infection. They can pop their
e-mail, reply via webmail, but they can't connect to anywhere except a
list of update sites.
The simplest method is to issue a different gateway to a registry of known
offenders, forcing their into a restrictive environment that blocks all
ports, and uses network translation tricks to redirect all web traffic to
a portal.
For cable modems and bridged DSL, you can do this with
On Tue, 28 Feb 2006, Bill Nash wrote:
The simplest method is to issue a different gateway to a registry of known
offenders, forcing their into a restrictive environment that blocks all
ports, and uses network translation tricks to redirect all web traffic to
a portal.
For cable modems
--On Tuesday, February 28, 2006 14:07:36 -0500 Bill Nash
[EMAIL PROTECTED] wrote:
The simplest method is to issue a different gateway to a registry of
known offenders, forcing their into a restrictive environment that blocks
all ports, and uses network translation tricks to redirect all
On 2/23/06, Andy Davidson [EMAIL PROTECTED] wrote:
And they don't care ! How is someone else telling them that they
need a virus checker going to change anything ?
It's not. That's why services such as AOL integrate it with the
system.. Granted, the user has to initially accept it, but it's
Andy Davidson wrote:
And they don't care ! How is someone else telling them that they need a
virus checker going to change anything ?
We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was
Heya,
Sorry about continuing this thread... I noticed a few people discussing
this topic and wondering about new ways to look at quarantining hosts.
There's a working group within the US Internet2 community that's been working
on a generalized architecture and set of white-papers that our
--On February 23, 2006 8:02:31 AM -0600 Jack Bates [EMAIL PROTECTED]
wrote:
We allowed users back online to run Housecall at trendmicro for free so
they could get cleaned up and save some money. However, the resuspend
rate was so high, we quickly changed to offline cleanup only. It will
Michael Loftis wrote:
What doesn't help is the ISPs out there who are complete dolts and first
don't verify reports and second false alarm. They'll cut a user off on
a single complaint without any evidence or verification. Or worse they
have some automated system that false alarms without
--On February 23, 2006 9:09:26 PM +0200 Gadi Evron [EMAIL PROTECTED] wrote:
I don't really see how any ISP will terminate an account for just one
complaint, after all, it's losing money..
We have seen a few good examples of pretty big ISP's who said here how
quarantine works for them.
Got
On 21 Feb 2006, at 16:26, Jason Frisvold wrote:
Key words there.. Large Provider .. I don't think A/V companies
have any interest whatsoever in smaller providers.. Just not a big
enough customer base I guess...
It would be nice to see an A/V provider willing to take that first
step and
On Tuesday 21 Feb 2006 06:41, you wrote:
I've seen more than one estimate that most computers *are* infected by at
least one piece of malware/spyware/etc, (including numbers as high as 90%)
I've seen 95% quoted - certainly my experience if you go looking for malware
in recent Windows desktop
Oh geez, here we go again... Search the archives and read
until you're content. It's a non-thread. This horse isn't
only dead, it's not even a grease spot on the road any more.
Are you saying that the problem of spreading worms
and botnets is fading? Where do you get your data on
this?
I
How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This
On Tue 21 Feb 2006 (04:15 +0200), Gadi Evron wrote:
Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is
that sean when you need his nifty stats :) Something about no matter what
you filter grandpa-jones will find a way to click on the nekkid
Simon Waters wrote:
I've seen 95% quoted - certainly my experience if you go looking for malware
in recent Windows desktop machines using IE and Outlook it is pretty much a
certainty you'll find it. Most of these tools I was using didn't detect the
Sony Rootkit, or other malware, so this will
[EMAIL PROTECTED] wrote:
How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the
At 12:26 PM +0100 2/21/06, Jim Segrave wrote:
The philosophical discussion aside (latest one can be found under zotob
port 445 nanog on Google), presenting some new technologies that shows
this *can* be done changes the picture.
http://www.quarantainenet.nl/
From the web site: Only a
Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques to hide itself in the
user's machine, just like viruses do.
As the defense is local to the user's machine, the attacker can
How do you differentiate this infection from the ones
they've been preached to to avoid?
The same way that people currently differentiate
bad software from good software before they install
something on their machines.
--Michael Dillon
On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques
[EMAIL PROTECTED] wrote:
If AV software can protect itself this way, why
would anyone build an infection blocker using
any less protection?
AV software can *try* and protect itself in this and other ways, but
that is OT to NANOG. I don't mind discussing it in private though if
software
When enough
votes have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.
Isn't there a risk of DoS though? What's to prevent someone from
spoofing those signals and shutting down other users?
The
At 7:45 AM -0500 2/21/06, John Curran wrote:
From the web site: Only a selected set of web sites will remain available,
for example Microsoft update and the websites of several anti-virus software
companies. The quarantine server tells users what is going on and how this
problem can be
On Tue, 21 Feb 2006, Gadi Evron wrote:
Hi Simon, this is indeed a Windows problem due to Microsoft being a
mono-culture in our desktop world. Still, there are botnets constructed from
other OS's as well. Also, CC servers are mostly *nix machines.
Does 'mostly *nix' hold true of the
On Tue 21 Feb 2006 (08:45 -0500), John Curran wrote:
At 7:45 AM -0500 2/21/06, John Curran wrote:
From the web site: Only a selected set of web sites will remain available,
for example Microsoft update and the websites of several anti-virus software
companies. The quarantine server
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote:
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
Offering them free software won't
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and update signatures
*every time* the user logs
On Tue, 21 Feb 2006 13:05:35 GMT, [EMAIL PROTECTED] said:
How do you differentiate this infection from the ones
they've been preached to to avoid?
The same way that people currently differentiate
bad software from good software before they install
something on their machines.
If
On Tue, 21 Feb 2006 10:42:20 EST, Jason Frisvold said:
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools.
No, just $24/month (or whatever it is now) for the whole service. You
go to a keyword and it does a web based installation widget. It is
free as long as you remain a subscriber.
I'm not familiar with how this works in AOL land.. Does the end-user
need to subscribe to anything other than
On Tuesday 21 February 2006 10:26, Jason Frisvold wrote:
On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Oddly enough, AOL and several other large providers seem to have no
problems advertising some variant on 'free A/V software'.
Key words there.. Large Provider .. I don't think
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and update signatures
*every time* the user logs in,
On Tue, 21 Feb 2006, Jason Frisvold wrote:
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote:
Big deal. You're talking about volume licensing at that point, and
offering vendors an opportunity to compete to get on every desktop in your
customer base. That's a big stick to negotiate with, especially if you're
an Earthlink or AOL.
Agreed.
On Tue, Feb 21, 2006 at 07:17:38AM +0200, Gadi Evron wrote:
[EMAIL PROTECTED] wrote:
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed...
[snip]
I'll update on these as I find out more on: http://blogs.securiteam.com
This write-up can be found here:
- Original Message Follows -
From: [EMAIL PROTECTED]
Oh geez, here we go again... Search the archives and
read until you're content. It's a non-thread. This
horse isn't only dead, it's not even a grease spot on
the road any more.
Are you saying that the problem of spreading
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill Nash wrote:
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote:
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the
Many ISP's who do care about issues such as worms, infected users
spreading the love, etc. simply do not have the man-power to handle
all their infected users' population.
It is becoming more and more obvious that the answer may not be at the
ISP's doorstep, but the ISP's are indeed a
- Original Message Follows -
From: Gadi Evron [EMAIL PROTECTED]
Many ISP's who do care about issues such as worms,
infected users spreading the love, etc. simply do not
have the man-power to handle all their infected users'
population.
Some who are user/broadband ISP's (not say,
[EMAIL PROTECTED] wrote:
On Mon, 20 Feb 2006 23:40:48 +0200, Gadi Evron said:
Many ISP's who do care about issues such as worms, infected users
spreading the love, etc. simply do not have the man-power to handle
all their infected users' population.
It is becoming more and more obvious
Oh geez, here we go again... Search the archives and
read until you're content. It's a non-thread. This
horse isn't only dead, it's not even a grease spot on
the road any more. :-(
I quite agree, which is why I trived to cover the
philosophical part from both sides. Now, how
scott, these are all just gadi's self-promotion ads. i recommend
procmail.
randy
On Tue, 21 Feb 2006, Gadi Evron wrote:
Many ISP's who do care about issues such as worms, infected users
spreading the love, etc. simply do not have the man-power to handle all
their infected users' population.
The ISPs will be a part of the solution. However, ISPs fall into two major
And I have a solution for bad drivers; required all manufacturers to fix the
steering wheel so that acknowledged bad drivers cannot turn the wheel to
make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny
them access to freeways.
ISPs should not police users, just like auto
Edward W. Ray wrote:
IMHO, a user should have to demonstrate a minimum amount of expertise and
have a up-to-date AV, anti-spyware and firewall solution for their PCs.
That is why we have hundreds of millions of bots in the wild.
The mostly-user ISP's will have to eventually do something or
your infected users spreading malware
Many ISP's who do care about issues such as worms, infected users spreading
the love, etc. simply do not have the man-power to handle all their
infected users' population.
It is becoming more and more obvious that the answer may not be at the ISP's
doorstep
Frank Bulk wrote:
We're one of those user/broadband ISPs, and I have to agree with the other
commentary that to set up an appropriate filtering system (either user,
port, or conversation) across all our internet access platforms would be
difficult. Put it on the edge and you miss the intra-net
Edward W. Ray wrote:
IMHO, a user should have to demonstrate a minimum amount of expertise and
have a up-to-date AV, anti-spyware and firewall solution for their PCs.
The mostly-user ISP's will have to eventually do something or end up
being either regulated, spending more and more and
On Mon, 20 Feb 2006, Rob Thomas wrote:
Hey, Bill.
] wht is the mean-time-to-infection for a stock windows XP system
] when plugged intot he net?... 2-5minutes? you can't get patches
] down that fast.
The same case can be made for Linux and Unix-based web servers with
Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is
that sean when you need his nifty stats :) Something about no matter what
you filter grandpa-jones will find a way to click on the nekkid jiffs of
Anna Kournikova again :(
anyway, someone
On Tue, 21 Feb 2006 04:15:25 +0200, Gadi Evron said:
The philosophical discussion aside (latest one can be found under zotob
port 445 nanog on Google), presenting some new technologies that shows
this *can* be done changes the picture.
OK. The tech exists, or can be made to exist. The
On 2/20/06, Edward W. Ray [EMAIL PROTECTED] wrote:
ISPs should not police users, just like auto manufacturers should not police
drivers. That is what driver's licenses are for.
So the state polices the drivers.. Should the state police the
internet as well? And how would that be
On Tue, 21 Feb 2006, Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is
that sean when you need his nifty stats :) Something about no matter what
you filter grandpa-jones will find a way to click on the nekkid jiffs of
Anna Kournikova again :(
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed...
[snip]
I'll update on these as I find out more on: http://blogs.securiteam.com
This write-up can be found here:
http://blogs.securiteam.com/index.php/archives/312
Ah yes, the old self-promotion trick. You know, I get some ads
Sean Donelan wrote:
On Tue, 21 Feb 2006, Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is
that sean when you need his nifty stats :) Something about no matter what
you filter grandpa-jones will find a way to click on the nekkid jiffs of
Anna
[EMAIL PROTECTED] wrote:
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed...
[snip]
I'll update on these as I find out more on: http://blogs.securiteam.com
This write-up can be found here:
http://blogs.securiteam.com/index.php/archives/312
Ah yes, the old self-promotion
On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote:
Hey, Bill.
] wht is the mean-time-to-infection for a stock windows XP system
] when plugged intot he net?... 2-5minutes? you can't get patches
] down that fast.
The same case can be made for Linux and Unix-based
] true enough. but auntie jane doesn't have linux/unix web server(s)
] or router(s) (other than the one provided by her ISP and managed by
them)
] and has zero clue about overly permissive service machines.
Agreed. Instead all of her financial records are on those
unix
[EMAIL PROTECTED] wrote:
On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote:
Hey, Bill.
] wht is the mean-time-to-infection for a stock windows XP system
] when plugged intot he net?... 2-5minutes? you can't get patches
] down that fast.
The same case can be made
On Tue, Feb 21, 2006 at 12:04:17AM -0600, Rob Thomas wrote:
] true enough. but auntie jane doesn't have linux/unix web server(s)
] or router(s) (other than the one provided by her ISP and managed by
them)
] and has zero clue about overly permissive service machines.
Agreed.
Hey, Bill.
The vast majority of what I see is based on financial gain.
Popping a web+database server, installing a rootkit, and
transferring off the day's business transactions is a lot more
certain than popping 10K Windows boxes and hoping the users go
shopping. Yep, seen it more than once.
On Mon, 20 Feb 2006 23:54:38 EST, Sean Donelan said:
On the other hand, the number of infected computers never seems to spiral
out of control. I've been wondering, instead of trying to figure out why
some computers get infected, should we be trying to figure out why most
computers don't become
75 matches
Mail list logo
