Automatic shutdown of infected network connections

Some universities such as Vanderbilt University are automatically
shutting down network ports when they detected signature worm traffic.
Almost 25% of the students' computers were detected as infected when they
connected to the university network.

http://www.vanderbilthustler.com/vnews/display.v/ART/2003/08/29/3f4eb4b3537e0

How many ISPs disconnect infected computers from the network? Do you
leave them connected because they are paying customers, and how else
could they download the patch from microsoft?

Let's see...

* I don't know how many, at minimum, those who receive
  court subpoenas telling them to.

* Do you leave a user connected if they are in violation
  of your AUP and is wreaking havoc on your network and
  other networks?

* Perhaps you could send a disk out? Or set them up in a
  sandbox-type LAN where they can only visit your internal
  disinfection site?

Sean Donelan wrote:

How many ISPs disconnect infected computers from the network? Do you
leave them connected because they are paying customers, and how else
could they download the patch from microsoft?

We disconnect after contact if they remain infected after 72 hours or once we determine contact won't be possible.

User's are responsible for their own computers. We understand that many of them need the service in order to fix their systems. However, a line has to be drawn at some point. I want the 135 blocks removed, and in order to do that, the malicious packets must be reduced to a minimum.

-Jack

I work for a cable modem provider. What we came up with is a modem config
that allows http, pop, and smtp while cutting the allowed bandwidth to 56k
upstream and 56k downstrem. This way they can still get the needed updates,
but are not able to blast our network. Secondary effect is that customer
will call in an complain about slow speeds, then our techs can tell them why,
they are slow and inform them how to fix the problem.

Why in the world would you do that? the DOCSIS specification allows for
filtering rules at the CPE, which means you could simply block icmp echo
and ports 135-139+445 directly at their home network, causing no load
whatsoever on your network, _and_ no more infected boxes (even at 56k).

Besides, have you ever tried updating an XP system at 56k? It could
literally take days.

> I work for a cable modem provider. What we came up with is a modem config
> that allows http, pop, and smtp while cutting the allowed bandwidth to 56k
> upstream and 56k downstrem. This way they can still get the needed updates,
> but are not able to blast our network. Secondary effect is that customer
> will call in an complain about slow speeds, then our techs can tell them why,
> they are slow and inform them how to fix the problem.

Why in the world would you do that? the DOCSIS specification allows for
filtering rules at the CPE, which means you could simply block icmp echo
and ports 135-139+445 directly at their home network, causing no load
whatsoever on your network, _and_ no more infected boxes (even at 56k).

The modem _is_ the CPE. There's no load on the network; just CPU on
the modem. "modem config" != "CMTS config".

Besides, have you ever tried updating an XP system at 56k? It could
literally take days.

You may have a point there.

Besides, have you ever tried updating an XP system at 56k? It could
literally take days.

Yes, days if you have never updated the system at all or if you count
minutes as days.

And if you just bought a new system, it should have the big update
(SP2) installed on the machine already, unless you're dealing with
an incompetent PC manufacturer/reseller/whatever that likes to cut
corners (say something idiotic like buying plain XP OEM CDs instead
of XP+SP2 OEM CDs because it saves them $1-3 per seat from some gray
distributor) or not stay up to speed on MS security because they
don't want to deal with after-sale support or provide it.

Right now, Windows XP says I'm "Connected at 50.6Kbps", and there
are no annoying "There are critical updates available for your
system" nag messages beaming from the taskbar.

FYI, the last 3 Dell laptops we bought (2 weeks ago) all needed about 56MB of patches OOTB

         ---Mike

Perhaps you missed the part where Jonathan said this is a config for
customers whose machine has been infected by the virus du jour. The
conscientious customer gets something quite a bit better than 56k

I think that's exactly what I said, perhaps you misread my comment.

My point was that you're rate limiting and filtering customers for no
reason when you have the ability to filter the attack vectors in a very
effective and 'clean' way. You should consider leaving those ports filtered
seeing how they're the #1 way for windows systems to be infected/hijacked.

[ Jonathan said "we are filtering and rate limiting at the modem" ... ]

> > Why in the world would you do that? the DOCSIS specification allows for

      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> > filtering rules at the CPE, which means you could simply block icmp echo
> > and ports 135-139+445 directly at their home network, causing no load
> > whatsoever on your network, _and_ no more infected boxes (even at 56k).
>
> The modem _is_ the CPE. There's no load on the network; just CPU on
> the modem. "modem config" != "CMTS config".

I think that's exactly what I said, perhaps you misread my comment.

What you said is highlighted above. I don't think I misread it ... I
may have misunderstood what you meant. Did you intend to take issue
_only_ with rate limiting, as opposed to filtering, or are you taking
issue with the broad filtering described, or both? i'm trying to
parse "Why in the world ..."

My point was that you're rate limiting and filtering customers for no
reason when you have the ability to filter the attack vectors in a very
effective and 'clean' way. You should consider leaving those ports filtered
seeing how they're the #1 way for windows systems to be infected/hijacked.

The provider in question has a long-standing tradition of providing
unfiltered access. Perhaps recent events will cause them to change
their policy as you suggest. Personally I think it's a great idea.

[ I'm no longer an employee of said provider ]

Best regards,

In article <5.2.0.9.0.20030903104933.03fa9db0@209.112.4.2>, Mike Tancsa <mike@sentex.net> writes

FYI, the last 3 Dell laptops we bought (2 weeks ago) all needed about 56MB of patches OOTB

That's exactly the same as I needed for a copy of XP-Upgrade I bought in a high-turnover retail store (Staples, in USA) last week.

I was taking issue with the "deny all, allow pop3, smtp, http, .." + rate
limit approach, I did see the 'filtering at the modem' part, perhaps restating
the ability of DOCSIS compliant CPE's was confusing.

> And if you just bought a new system, it should have the big update (SP2)
> installed on the machine already ...

  Service Pack 2 for Windows XP has not been released yet.

Weird, when I go to Add/Remove programs, I see "(SP2)" next to the
hotfixes I applied, from that I assumed SP2 was out or something.

  As of 1 Sep 2003, there are 21 post-SP1 security-related hotfixes posted
for Windows XP. The total download size is quite large, if you are on a 56
kilobit modem.

Most of my updates were done on this same modem, and if I recall
correctly, most of them varied in size from 300KB to 2MB. Then
again, I haven't done a fresh XP install ever since I installed
it on this laptop so I don't know how big the initial lump is
right now.

> ... unless you're dealing with an incompetent PC
> manufacturer/reseller/whatever that likes to cut corners ...

  Like, say, most of them?

Eek.

Hate to rehash the responsibility debate...but shouldn't the
manufacturers/whatever slap the latest service packs on their
products that they're selling?

If GM puts out a recall on their vehicles for a GE lamp. Yeah,
I'm sure GE takes the blame and a hit to their stock, but the
dealers go to GM (the aggregator) for the replacement and fix
the vehicles they have on the lot before another one gets sold,
right?

Subtract one level of hierarchy (the dealer, or you could leave
it in, since most system builders are rolling out their own
stores...Apple, Dell, Gateway, etc.) and you have the common
relationship of Microsoft-OEM-End User. Shouldn't the OEM be
responsible for any product coming off their shelf that's been
"recalled" up until the point of the "recall"?

Omachonu Ogali wrote:

Eek.

Hate to rehash the responsibility debate...but shouldn't the
manufacturers/whatever slap the latest service packs on their
products that they're selling?

That would add cost. You either eat that cost or pass it on to the consumer. As price is the number one criteria for the mass market I am sure vendors are shy about raising prices and equally shy about eating into meager profits

If GM puts out a recall on their vehicles for a GE lamp.

You know its not that simple.... Changing a light bulb does not have the same potentially unforeseen and unintended consequences of installing 56MB of new code. It WILL break some things.

Vendor A laptop price = $x
Vendor B laptop price = $x+ $20

A-Laptop == B-Laptop

Given the choice between the two where one has all the service packs installed and the other for $20 less does not.... Sad to say most will take the one for $20 less as the other is "ripping me off!" Most consumers dont have a hope in hell sometimes of understanding value in the tech world and instead fixate totally on price.

         ---Mike

Sean Donelan wrote:

How many ISPs disconnect infected computers from the network? Do you
leave them connected because they are paying customers, and how else
could they download the patch from microsoft?

As an aside:

As a corporation (no customers per-se), we disconnect infected computers _completely_ (via remote router/switch control tools). We can do it automatically (via various detectors), but usually do it manually.

This is primarily to maintain service levels with non-infected stuff.

Fixing the computer is usually done by support staff. Via CD if it's unsafe to reconnect the machine to the net.

If we get infested bad enough, we block the attack ports subnet-by-subnet as necessary until we've sterilized the subnet.