[89051] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (David Nolan)
Wed Mar 1 14:37:16 2006
Date: Wed, 01 Mar 2006 14:36:45 -0500
From: David Nolan <vitroth+@cmu.edu>
To: nanog@merit.edu
In-Reply-To: <4405DCE9.4050205@brightok.net>
Errors-To: owner-nanog@merit.edu
--On Wednesday, March 01, 2006 11:42:01 -0600 Jack Bates
<jbates@brightok.net> wrote:
>
> Do you find that web redirection actually stems the flow of calls to the
> helpdesk? We find that anything out of the normal usually results in a
> customer calling the helpdesk just because they weren't expecting it. We
> found this to be true of email notifications as well.
We believe it does help to an extent. But more importantly to us the same
system that sent the notices and quarantined the host also is tracking the
incident. Its visible to the help desk staff and the security staff, and
searching there first when a user contacts us is standard procedure. Prior
to this system we were keeping track of suspended machines by hand or via
email. In the summer of 2003, when the big windows RPC vulnerability was
out, and both Blaster and Welchia happened, we knew right away that we
needed a system to track the *hundreds* of suspend/restore requests we were
processing. First it was just a tracking system, then it became a full
automated notification and suspension system.
One of the things we do is send vulnerability notices for large scale OS
vulnerabilities. For example, for the Windows Print Spooler vulnerability,
MS05-043, we scan our network multiple times a day and send notices to the
owners of vulnerable machines. The user/admin then has 24 hours to patch
the machine and use the web app to tell us they did. If they don't do so
the machine is suspended. Once suspended they can still use the web app to
restore themselves. However if we find a machine is still unpatched after
we've been told it was patched we immediately suspend it.
> The other issue is,
> of course, differing what we are doing with those thousands of annoying
> ads that make users believe they are infected.
>
Well, once they're quarantined they should stop getting those ads and just
get your quarantine notice, so that should be different, right?
-David