nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quarantaine network for infected hosts?

From: Hani Mustafa <hani.mustafa () noorgroup net>
Date: Mon, 1 Dec 2003 21:03:35 +0200

Eric,


I wrote up a quick note on what we do at:

      http://www.roxanne.org/~eric/blaster.html


Quote from "Known Issues":

"One of the unfortunate side effects of it is that some spyware/adware either overrides your DNS settings with their 
own or makes an HTTP call to their website before allowing the browser to download a page normally."

A different way to tackle this problem (instead of the dns views approach), is to do it at a lower level. Something 
like Cisco's SSG (*) can be used to do the equivilant of DNAT for a specified set of source addressees.

This being a static configuration, I wonder if SSG's original purpose can be used as a solution which does not need 
DHCP. In this case, all network users would, by default, be redirected to a "verification website" (whatever 
verification method is used to determine whether this host is infected), after which the user is allowed to pass 
through the gateway without manipulating the packets IF the box was confirmed clean.

On a seperate note, with the complexity of setting up ssg aside, you can easily implement something like this using 
iptables' REDIRECT target. ("iptables -s 10.0.0.0/8 -j REDIRECT ..." or something)

~Hani Mustafa

(*) http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/ssgw_ds.htm
Previous By Date Next
Previous By Thread Next

Current thread: