nanog mailing list archives
Re: Quarantine your infected users spreading malware
From: David Nolan <vitroth+ () cmu edu>
Date: Wed, 01 Mar 2006 14:36:45 -0500
--On Wednesday, March 01, 2006 11:42:01 -0600 Jack Bates <jbates () brightok net> wrote:
Do you find that web redirection actually stems the flow of calls to the helpdesk? We find that anything out of the normal usually results in a customer calling the helpdesk just because they weren't expecting it. We found this to be true of email notifications as well.
We believe it does help to an extent. But more importantly to us the same system that sent the notices and quarantined the host also is tracking the incident. Its visible to the help desk staff and the security staff, and searching there first when a user contacts us is standard procedure. Prior to this system we were keeping track of suspended machines by hand or via email. In the summer of 2003, when the big windows RPC vulnerability was out, and both Blaster and Welchia happened, we knew right away that we needed a system to track the *hundreds* of suspend/restore requests we were processing. First it was just a tracking system, then it became a full automated notification and suspension system.
One of the things we do is send vulnerability notices for large scale OS vulnerabilities. For example, for the Windows Print Spooler vulnerability, MS05-043, we scan our network multiple times a day and send notices to the owners of vulnerable machines. The user/admin then has 24 hours to patch the machine and use the web app to tell us they did. If they don't do so the machine is suspended. Once suspended they can still use the web app to restore themselves. However if we find a machine is still unpatched after we've been told it was patched we immediately suspend it.
The other issue is, of course, differing what we are doing with those thousands of annoying ads that make users believe they are infected.
Well, once they're quarantined they should stop getting those ads and just get your quarantine notice, so that should be different, right?
-David
Current thread:
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- Re: Quarantine your infected users spreading malware Jack Bates (Mar 01)
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- Re: Quarantine your infected users spreading malware Bill Nash (Mar 01)
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- <Possible follow-ups>
- Re: Quarantine your infected users spreading malware JP Velders (Mar 01)
- Re: Quarantine your infected users spreading malware Christopher L. Morrow (Mar 01)
- Re: Quarantine your infected users spreading malware Jack Bates (Mar 01)
- Re: Quarantine your infected users spreading malware David Nolan (Mar 01)
- Re: Quarantine your infected users spreading malware Christopher L. Morrow (Mar 02)
- Re: Quarantine your infected users spreading malware Jim Segrave (Mar 02)
- Re: Quarantine your infected users spreading malware Jim Segrave (Mar 02)
- Re: Quarantine your infected users spreading malware Christopher L. Morrow (Mar 01)
- Re: Quarantine your infected users spreading malware Jack Bates (Mar 01)
- Re: Quarantine your infected users spreading malware Jim Segrave (Mar 02)
- Re: Quarantine your infected users spreading malware Robert E . Seastrom (Mar 02)
- Re: Quarantine your infected users spreading malware Niels Raijer (Mar 02)
- Re: Quarantine your infected users spreading malware Robert E . Seastrom (Mar 02)