[88813] in North American Network Operators' Group
and here are some answers [was: Quarantine your infected users spreading
daemon@ATHENA.MIT.EDU (Gadi Evron)
Mon Feb 20 19:29:10 2006
Date: Tue, 21 Feb 2006 02:27:05 +0200
From: Gadi Evron <ge@linuxbox.org>
To: "Edward W. Ray" <spamjail@mmicman.com>
Cc: nanog@merit.edu
In-Reply-To: <000501c6367c$cd08fa00$0e01a8c0@mmicmanhomenet.local>
Errors-To: owner-nanog@merit.edu
Edward W. Ray wrote:
> IMHO, a user should have to demonstrate a minimum amount of expertise and
> have a up-to-date AV, anti-spyware and firewall solution for their PCs.
That is why we have hundreds of millions of bots in the wild.
The mostly-user ISP's will have to eventually do something or end up
being either regulated, spending more and more and more on tech support
and/OR abuse personnel, or written down as blackhat AS's.
Some PRODUCTS, PRO and AGAINST links from people on quarantining of
infected users, thanks to all those who shared so far!
Products so far (haven't tried or verified them myself):
http://www.rommon.com/sandbox.html
http://www.forescout.com/index.php?url=products§ion=counteract
Other:
Eric Gauthier's Ethernet-oriented quarantine system (from NANOG in
2003): http://www.nanog.org/mtg-0402/gauthier.html
Other choice papers from Jose's blog:
http://www.iab.org/documents/docs/2003-10-18-edge-filters.html
http://www.csl.sri.com/users/linda/bibs/publications/mmsm2005.pdf
http://www.csl.sri.com/papers/sri-csl-2005-03/
http://www.cs.wfu.edu/~fulp/Papers/iiaw05t.pdf
http://www.icir.org/vern/worm04/porras.pdf
http://www.icir.org/vern/worm04/xiong.pdf
http://www.cs.rpi.edu/research/pdf/05-01.pdf
Gadi.
