[89025] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (David Nolan)
Wed Mar 1 08:37:38 2006
Date: Wed, 01 Mar 2006 08:37:08 -0500
From: David Nolan <vitroth+@cmu.edu>
To: nanog@merit.edu
In-Reply-To: <82670000.1141155577@thunder-mountain.net.cmu.edu>
Errors-To: owner-nanog@merit.edu
--On Tuesday, February 28, 2006 14:39:37 -0500 David Nolan
<vitroth+@cmu.edu> wrote:
> We a couple techniques at Carnegie Mellon, depending on the network
> scenario.
>
> The DHCP based technique outlined above requires no extra infrastructure,
> just extra configuration, so it is what we use for most of our campus
> wired networks. We use the same setup as our registration helper
> network, so our internal name for the DHCP based quarantine system is
> called QuickReg. An unknown or banned client gets an address in 1918
> space and can only access our abuse tracking, patch download and network
> registration systems.
Following up my own post. I know, its always bad ettiquete, but I forgot
to mention something.
We're also using an active suspension mechanism for these networks to block
clients with current valid DHCP leases instantly. We use Unicast Reverse
Path Filtering (*) and /32 host routes injected into our OSPF cloud via
quagga (ospf routing daemon on a unix server).
This means a suspended host loses all network connectivity immediately,
until they re-dhcp, at which point they'll have a rfc1918 address and have
access to the quarantine network. This also handles the occasional
statically configured host.
We can also use this system to filter external hosts without having to
manipulate border router acls frequently.
(*): For anyone who doesn't know, URPF is essentially a way to do automatic
acls, comparing the source IP of on an incoming packet to the routing table
to verify the packet should have come from this interface. With the right
hardware this is significantly cheaper then acl processing. And its
certainly easier to maintain. And by injecting a /32 null route into the
route table you can cause a host's local router to start discarding all
traffic from that IP.
-David Nolan
Network Software Designer
Computing Services
Carnegie Mellon University