Re: Automatic shutdown of infected network connections

[Nathan E Norman <nnorman () incanus net>]

On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
> On Tue, Sep 02, 2003 at 09:59:51AM -0500, Jonathan Crockett wrote:
> > I work for a cable modem provider.  What we came up with is a modem config
> > that allows http, pop, and smtp while cutting the allowed bandwidth to 56k
> > upstream and 56k downstrem.  This way they can still get the needed updates,
> > but are not able to blast our network.  Secondary effect is that customer
> > will call in an complain about slow speeds, then our techs can tell them why,
> > they are slow and inform them how to fix the problem.
>
> Why in the world would you do that? the DOCSIS specification allows for
> filtering rules at the CPE, which means you could simply block icmp echo
> and ports 135-139+445 directly at their home network, causing no load 
> whatsoever on your network, _and_ no more infected boxes (even at 56k).

The modem _is_ the CPE.  There's no load on the network; just CPU on
the modem.  "modem config" != "CMTS config".
 
> Besides, have you ever tried updating an XP system at 56k? It could 
> literally take days.

You may have a point there.

-- 
Nathan Norman - Incanus Networking mailto:nnorman () incanus net
  Perilous to all of us are the devices of an art deeper than we
  ourselves possess.
          -- Gandalf the Grey