[88819] in North American Network Operators' Group
RE: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (Frank Bulk)
Mon Feb 20 20:47:47 2006
Reply-To: <frnkblk@iname.com>
From: "Frank Bulk" <frnkblk@iname.com>
To: "'Gadi Evron'" <ge@linuxbox.org>
Cc: <nanog@merit.edu>
Date: Mon, 20 Feb 2006 19:45:06 -0600
In-Reply-To: <43FA6E47.6090905@linuxbox.org>
Errors-To: owner-nanog@merit.edu
-----Original Message-----
From: Gadi Evron [mailto:ge@linuxbox.org]
Sent: Monday, February 20, 2006 7:35 PM
To: frnkblk@iname.com
Cc: nanog@merit.edu
Subject: Re: Quarantine your infected users spreading malware
Frank Bulk wrote:
> We're one of those user/broadband ISPs, and I have to agree with the
> other commentary that to set up an appropriate filtering system
> (either user, port, or conversation) across all our internet access
> platforms would be difficult. Put it on the edge and you miss the
> intra-net traffic, put it in the core and you need a box on every
> router, which for a larger or graphically distributed ISPs could be
cost-prohibitive.
I have a question here, do you have repeat offenders in your abuse desk who
are of the malware-sort rather than bad people? Can these be put in a
specific group?
FB> Most of the repeat offenders tend to be people who lack the ability to
choose website judiciously, to put it kindly. But when we encourage them to
get a pop-up blocker, update their antivirus (either the whole program or
definitions), and install a firewall (Windows XP or cheap NAT router), the
problem usually fades away. Most "just didn't know" that their computer was
spewing forth spam or viruses, being used as a proxy, or part of some kind
of botnet.
> In relation to that ThreatNet model, we just could wish there was a
> place we could quickly and accurately aggregate information about the
> bad things our users are doing -- a combination of RBL listings,
> abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic
> monitoring and analysis system in place, and even if we did, I'm
> afraid our work would still be very reactionary.
>
> And for the record, we are one of those ISPs that blocks ports 139 and
> 445 on our DSLAM and CMTS, and we've not received one complaint, but
> I'm confident it has cut down on a host of infections.
Would you happen to have statistics on how far it did/didn't help reduce
abuse reports, tech support calls, etc.?
FB> We don't look at the logs for entries regarding ports 139/445, but when
we last looked it was a few unique IP addresses per day. And due our size,
we have no idea how much it reduced abuse reports. It's been in place for
several years.
>
> Frank
Gadi.
