[61702] in North American Network Operators' Group
Re: Automatic shutdown of infected network connections
daemon@ATHENA.MIT.EDU (Chris Lewis)
Wed Sep 3 15:09:52 2003
Date: Wed, 03 Sep 2003 15:01:06 -0400
From: "Chris Lewis" <clewis@nortelnetworks.com>
To: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0308292137070.8882-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
Sean Donelan wrote:
> How many ISPs disconnect infected computers from the network? Do you
> leave them connected because they are paying customers, and how else
> could they download the patch from microsoft?
As an aside:
As a corporation (no customers per-se), we disconnect infected computers
_completely_ (via remote router/switch control tools). We can do it
automatically (via various detectors), but usually do it manually.
This is primarily to maintain service levels with non-infected stuff.
Fixing the computer is usually done by support staff. Via CD if it's
unsafe to reconnect the machine to the net.
If we get infested bad enough, we block the attack ports
subnet-by-subnet as necessary until we've sterilized the subnet.
