North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Quarantine your infected users spreading malware
-----Original Message----- From: Gadi Evron [mailto:[email protected]] Sent: Monday, February 20, 2006 7:35 PM To: [email protected] Cc: [email protected] Subject: Re: Quarantine your infected users spreading malware Frank Bulk wrote: > We're one of those user/broadband ISPs, and I have to agree with the > other commentary that to set up an appropriate filtering system > (either user, port, or conversation) across all our internet access > platforms would be difficult. Put it on the edge and you miss the > intra-net traffic, put it in the core and you need a box on every > router, which for a larger or graphically distributed ISPs could be cost-prohibitive. I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group? FB> Most of the repeat offenders tend to be people who lack the ability to choose website judiciously, to put it kindly. But when we encourage them to get a pop-up blocker, update their antivirus (either the whole program or definitions), and install a firewall (Windows XP or cheap NAT router), the problem usually fades away. Most "just didn't know" that their computer was spewing forth spam or viruses, being used as a proxy, or part of some kind of botnet. > In relation to that ThreatNet model, we just could wish there was a > place we could quickly and accurately aggregate information about the > bad things our users are doing -- a combination of RBL listings, > [email protected], SenderBase, MyNetWatchman, etc. We don't have our own traffic > monitoring and analysis system in place, and even if we did, I'm > afraid our work would still be very reactionary. > > And for the record, we are one of those ISPs that blocks ports 139 and > 445 on our DSLAM and CMTS, and we've not received one complaint, but > I'm confident it has cut down on a host of infections. Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.? FB> We don't look at the logs for entries regarding ports 139/445, but when we last looked it was a few unique IP addresses per day. And due our size, we have no idea how much it reduced abuse reports. It's been in place for several years. > > Frank Gadi.
|