Re: Quarantine your infected users spreading malware
On 2/23/06, Andy Davidson [EMAIL PROTECTED] wrote: And they don't care ! How is someone else telling them that they need a virus checker going to change anything ? It's not. That's why services such as AOL integrate it with the system.. Granted, the user has to initially accept it, but it's a virtually painless process.. AOL's software does all the work. If a user has to download each individual program, install it, ensure it's updated, etc., then they tend to ignore the use of such a product. Even mostly-automated updates are a burden for them because messages pop up now and then telling them that they're not up to date, warnings about new outbreaks, etc. Most users don't care one way or the other and it's simpler for them to ignore the whole situation. For something like AVG, yes it's free. But, I don't think that includes allowing an ISP to package it up and distribute it as a value-added feature.. Most companies frown on that sort of thing. I believe even Microsoft's EULA forbids distributing SP2 without strict permission. -a -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
Andy Davidson wrote: And they don't care ! How is someone else telling them that they need a virus checker going to change anything ? We allowed users back online to run Housecall at trendmicro for free so they could get cleaned up and save some money. However, the resuspend rate was so high, we quickly changed to offline cleanup only. It will remain until we perfect our auto defense system. Customers just want things to work. They don't care if they are infected. It's amazing how many customers swear they aren't scanning or sending email, and refuse to understand that their computer is capable of doing things without them knowing. -Jack
Re: The Domain Name Service as an IDS
Amongst others, I've developed the following services with it for my internal customers: Hi Chris, thanks for your reply. I was just told by the admin team to keep DNS operational issues off-list. Would you mind if we take this to the DNS operations mailing list run by the ISC OARC? Gadi. Let's see - a description of an interesting way to use DNS metrics to detect network abuse - network abuse that routinely causes headaches on our network and results in customer complaints. Seems pretty on topic for a network operations mailing list. -- Mark Radabaugh Amplex [EMAIL PROTECTED] 419.837.5015
Re: How do you (not how do I) calculate 95th percentile?
On Wed, Feb 22, 2006 at 05:46:01PM -0500, Russell, David wrote: I personally think that 5 minute sampling is so last century s/5 minute sampling/polling/ RWSL[1] do deliver their accounting data via scp or FTP to collector hosts by themselves. Push instead of pull/poll. SNMP counter polling for accounting is real pain. Regards, Daniel [1] Routers Which Suck Less -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0
Re: The Domain Name Service as an IDS
On Thu, Feb 23, 2006 at 04:27:52AM +0200, Gadi Evron wrote: [snip] Hi Chris, thanks for your reply. I was just told by the admin team to keep DNS operational issues off-list. I deo not believe this. You didn't notice the Monday plenary session at NANOG 36 meeting was all DNS? http://www.nanog.org/mtg-0602/wessels.html http://www.nanog.org/mtg-0602/ishibashi.html http://www.nanog.org/mtg-0602/gibbard.html ...and two of the lighting talks on Wednesday? http://www.nanog.org/mtg-0602/pdf/kristoff.pdf http://www.nanog.org/mtg-0602/pdf/murphy.pdf Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Quarantine your infected users spreading malware
Heya, Sorry about continuing this thread... I noticed a few people discussing this topic and wondering about new ways to look at quarantining hosts. There's a working group within the US Internet2 community that's been working on a generalized architecture and set of white-papers that our member institutions can share. If you're interested, check out the two drafts that we have so far (SALSA-Netauth working group): Architecture for Automating Network Policy (PDF) http://security.internet2.edu/netauth/docs/internet2-salsa-netauth-architecture-200510.pdf Strategies for Automating Network Policy Enforcement http://security.internet2.edu/netauth/docs/internet2-salsa-netauth-policy-enforcement-200504.html We'd welcome any thoughts, criticism, complaints, praise, etc... Eric :)
Re: Quarantine your infected users spreading malware
--On February 23, 2006 8:02:31 AM -0600 Jack Bates [EMAIL PROTECTED] wrote: We allowed users back online to run Housecall at trendmicro for free so they could get cleaned up and save some money. However, the resuspend rate was so high, we quickly changed to offline cleanup only. It will remain until we perfect our auto defense system. Customers just want things to work. They don't care if they are infected. It's amazing how many customers swear they aren't scanning or sending email, and refuse to understand that their computer is capable of doing things without them knowing. What doesn't help is the ISPs out there who are complete dolts and first don't verify reports and second false alarm. They'll cut a user off on a single complaint without any evidence or verification. Or worse they have some automated system that false alarms without any way to verify you're cleaned up. And if you can't get online you can't get cleaned up anyway. Catch 22.
Re: a radical proposal (Re: protocols that don't meet the need...)
On 16-feb-2006, at 0:15, Fred Baker wrote: On Feb 15, 2006, at 9:13 AM, Edward B. DREGER wrote: Of course not. Let SBC and Cox obtain a _joint_ ASN and _joint_ address space. Each provider announces the aggregate co-op space via the joint ASN as a downstream. Interesting. This is what has been called metropolitan addressing. I'm certainly not the one who first proposed it, although I have thought about it for a while, dating at least as far back as 2001. The crux of the concept as several *have* proposed it is that a regional authority - a city, perhaps, or a consortium of ISPs, or in the latest version of the proposal I have seen the country of Korea - gets a prefix, and sets up an arrangement. SOHOs that want to multihome within its territory are able to get small (/48? /56?) prefixes from it, and providers that deliver service in the area may opt in to supporting such SOHO prefixes. [...] Whenever I have talked about the model with an ISP, I have gotten blasted. Well, the way you outline above isn't the only way to do aggregation on something other than provider. A while back I worked on this, see http://www.muada.com/drafts/draft-van-beijnum-multi6-isp-int-aggr-01.txt The idea is that a border router within an ISP/carrier network no longer holds a full copy of the global routing table, but only carries a subset. The AS as a whole still has a full view of the entire table, but aggregates make packets flow to a router that holds the appropriate part of the global routing table, and then that router hands the packets off to the right neighboring AS. The aggregates are only used within the AS so there is no free transit. Obviously it works best if there is interconnection in the metro area in question, but it can also be made to work without dense interconnection. Based on NANOG shim6 feedback and the push for IPv6 PI in the RIRs, I think it's time to really look at this and/or other non-traditional ways to aggregate. Apart from traffic engineering (which should be solvable) the main problem with shim6 is that it doesn't give users provider independent address space, and it's becoming pretty clear that many users REALLY want this, not withstanding all the IETF efforts to make renumbering easier. Some sort of non-provider aggregation would allow portable address space for end-users without starting a time delayed meltdown of the global routing table. Another advantage is that such a mechanism makes it possible to start using aggregatable PI space as normale PI space immediately, and only implement aggregation in individual ASes (no coordination necessary) as the size of the routing table increases. I dropped this approach 2.5 years ago when it turned out that there was no support for it in the multi6 working group, but the heavy criticism of shim6, the push for PI in IPv6 and the fact that geographic aggregation keeps coming up from time to time suggests that it's probably not a bad investment of time for the IETF to look at this and see if there's something there. Maybe in the form of a BOF? Iljitsch
Re: Quarantine your infected users spreading malware
Michael Loftis wrote: What doesn't help is the ISPs out there who are complete dolts and first don't verify reports and second false alarm. They'll cut a user off on a single complaint without any evidence or verification. Or worse they have some automated system that false alarms without any way to verify you're cleaned up. And if you can't get online you can't get cleaned up anyway. Catch 22. I don't really see how any ISP will terminate an account for just one complaint, after all, it's losing money.. We have seen a few good examples of pretty big ISP's who said here how quarantine works for them. Got an example on how ISP's are kicking users out?
Re: Quarantine your infected users spreading malware
--On February 23, 2006 9:09:26 PM +0200 Gadi Evron [EMAIL PROTECTED] wrote: I don't really see how any ISP will terminate an account for just one complaint, after all, it's losing money.. We have seen a few good examples of pretty big ISP's who said here how quarantine works for them. Got an example on how ISP's are kicking users out? Speakeasy suspended my service for a week over a single report from someone. The mail never even travelled through or via any of my systems, the header bit that was called in was forged. It took a week to get them to give me the information they'd gotten in complaint. There was a forged Received header (completely fabricated, including the 'Qostfix' MTA) and also a forged HELO or EHLO of a non-existent host when it actually relayed it off onto someone elses MTA. I can't remember the exact ISP...might've been RoadRunner or TW in Toronto, but a friend had her DSL or CableModem suspendded, ended up changing providors. There was an infection, it was cleaned, they were allowed back on, then the ISP either received an old/backlogged complaint or something and they cut them off again,, but the machines were all clean (indeed watching the network for traffic over several days revealede nothing that they claimed to be the problem). -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler