North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantine your infected users spreading malware

  • From: Bill Nash
  • Date: Mon Feb 20 19:11:19 2006


While i'm not being told to shut up because this is off topic (yet), I'm going to suggest that people interested in continuing this conversation contact me off list and coordinate something ad hoc. The amount of bullshit I've already recieved in response to thinking that this has operational merit when it comes to mitigating both risk and effects is pretty astounding, even by nanog standards.

Thanks.

- billn

On Mon, 20 Feb 2006, Bill Nash wrote:

On Tue, 21 Feb 2006, Gadi Evron wrote:
Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population.

The ISPs will be a part of the solution. However, ISPs fall into two major
categories:

1) The ones that read the types of lists that you posted this to
2) The ones that have the problem.

You're preaching to the choir, Gadi - and if there's *one* thing I'd like a
solution for, it's *that* problem. How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?
What products that answer this are out there, and how good, in your experience, are they?

We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject?

Let's be clear in what we're addressing. Are we talking about an en masse quarantine of IP addresses sending the worm traffic, or identifying the C&C<->payload conversations and applying blocks accordingly?

Where are the anti-virus and software firewall vendors in this conversation? To be plain, this obviously isn't a problem you can solve with some border filters. The complexity, and fallout, from trying to put those kinds of filtering in is just too great. It's cumbersome to manage manually and operational impact is too great.

If we're going to philosophize about solutions, let's throw some ideas out. Where do concepts like ThreatNet fit into this notion? (http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is to establish a closed threat sharing network with trusted peers, sharing information about malcontents doing things on your network that they shouldn't be. If you can positively identify SSH brute force sources, port scan patterns, worm traffic, spam sources, etc, and report them to trusted peers in a collaborative fashion, it becomes easier to support intelligent and rapid traffic filtering concepts in your network designs, where appropriate, even if it's something as simple as putting together a business case for filtering entire netblocks or regions. (Yes, I write my own analyzers, and yes, I'm involved peripherally with this project.) ThreatNet is still pretty nascent, but conceptually it's got merit.

I'll bring up MainNerve again since they're the only vendor I've worked with that's got tools for selectively filtering known troublemakers.

As a potential solution, I bring both of these items up because they provide the ability to take good, distributed intelligence gathering and apply them to your network in a precision manner, if at all, in accordance with any unique policies you may have. The problem, as I see it, is that even if one ISP sees the bad behaviour, there's no communication amongst the community (that I can see) to relay or collate the history. It's like playing Mom off against Dad because they never talk to each other. For coming up with clear patterns of abuse and shenanigans, we're suffering from collective myopia because we're ignoring an aspect of of our favorite big ass communications medium.

Or I'm completely off base, in which case tell me to shut up and I'll go back into my code coma.

- billn