nanog mailing list archives
RE: Quarantine your infected users spreading malware
From: "Frank Bulk" <frnkblk () iname com>
Date: Mon, 20 Feb 2006 19:45:06 -0600
-----Original Message----- From: Gadi Evron [mailto:ge () linuxbox org] Sent: Monday, February 20, 2006 7:35 PM To: frnkblk () iname com Cc: nanog () merit edu Subject: Re: Quarantine your infected users spreading malware Frank Bulk wrote:
We're one of those user/broadband ISPs, and I have to agree with the other commentary that to set up an appropriate filtering system (either user, port, or conversation) across all our internet access platforms would be difficult. Put it on the edge and you miss the intra-net traffic, put it in the core and you need a box on every router, which for a larger or graphically distributed ISPs could be
cost-prohibitive. I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group? FB> Most of the repeat offenders tend to be people who lack the ability to choose website judiciously, to put it kindly. But when we encourage them to get a pop-up blocker, update their antivirus (either the whole program or definitions), and install a firewall (Windows XP or cheap NAT router), the problem usually fades away. Most "just didn't know" that their computer was spewing forth spam or viruses, being used as a proxy, or part of some kind of botnet.
In relation to that ThreatNet model, we just could wish there was a place we could quickly and accurately aggregate information about the bad things our users are doing -- a combination of RBL listings, abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic monitoring and analysis system in place, and even if we did, I'm afraid our work would still be very reactionary. And for the record, we are one of those ISPs that blocks ports 139 and 445 on our DSLAM and CMTS, and we've not received one complaint, but I'm confident it has cut down on a host of infections.
Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.? FB> We don't look at the logs for entries regarding ports 139/445, but when we last looked it was a few unique IP addresses per day. And due our size, we have no idea how much it reduced abuse reports. It's been in place for several years.
Frank
Gadi.
Current thread:
- Re: Quarantine your infected users spreading malware, (continued)
- Re: Quarantine your infected users spreading malware Bill Nash (Feb 28)
- Re: Quarantine your infected users spreading malware Christopher L. Morrow (Feb 28)
- Re: Quarantine your infected users spreading malware David Nolan (Feb 28)
- Re: Quarantine your infected users spreading malware Bill Nash (Feb 21)
- Re: Quarantine your infected users spreading malware Bill Nash (Feb 21)
- Re: Quarantine your infected users spreading malware Jason Frisvold (Feb 21)
- Re: Quarantine your infected users spreading malware Eric Gauthier (Feb 23)
- Re: Quarantine your infected users spreading malware Vicky Røde (Feb 21)
- Re: Quarantine your infected users spreading malware Gadi Evron (Feb 20)
- RE: Quarantine your infected users spreading malware Frank Bulk (Feb 20)
- Re: Quarantine your infected users spreading malware Gadi Evron (Feb 20)
- Re: Quarantine your infected users spreading malware James (Feb 21)
- Re: Quarantine your infected users spreading malware Gadi Evron (Feb 20)
- RE: Quarantine your infected users spreading malware Edward W. Ray (Feb 20)
- and here are some answers [was: Quarantine your infected users spreading malware] Gadi Evron (Feb 20)
- Re: and here are some answers [was: Quarantine your infected users spreading malware] bmanning (Feb 20)
- Re: and here are some answers [was: Quarantine your infected users spreading malware] Rob Thomas (Feb 20)
- Re: and here are some answers [was: Quarantine your infected users spreading malware] Christopher L. Morrow (Feb 20)