Handling Viruses in an Uncontrolled Network? 579
An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats.
We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?"
"Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).
I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."
Is this really that hard? (Score:5, Insightful)
There see, that wasn't too hard!
Re:Is this really that hard? (Score:5, Funny)
Re:Is this really that hard? (Score:4, Insightful)
If that doesn't work, have a little chat with the Admin, present the security scenario, and ask to yank the plug on any offending machine as a security threat. Corporations in the real world don't tolerate unsecure boxen, why should the school? Students will learn VERY quick not to cross you.
Re:Is this really that hard? (Score:3, Insightful)
s/out of your hand/with a straw/g if one applies the LART correctly.
But seriously, I'd set up a DHCP server, hand out IP's through that, and when a machine misbehaves, nullroute the bugger and yank it's lease. The owner of said machine will come by eventually to complain that "Teh intarweb" doesn't work, and you can apply said LART to educat
Re: (Score:3, Interesting)
Re:Is this really that hard? (Score:5, Insightful)
1. IDS set to trigger on specific patterns and events (if you have been seeing this stuff on your network constantly, you'll know what to look for already.), you can even set some up free using FOSS.
2. the IDS alerts then trigger shutting down their switch port and notify an admin. Depending on your switch port mapping database, you can even email the user.
3. See Scott's post above for signature/cleaning cycle.
Re:Is this really that hard? (Score:2)
Makes sense, but maybe you should email them BEFORE you pull the plug?
Re:Is this really that hard? (Score:3, Insightful)
It's not hard, but its harder to get right. Having IDS disable services without human evaluation/intervention has the potential to leave you open to an effectively self-enforced DOS attack.
The classic example is the IDS that shuts of port 25 for a couple of minutes whenever it detects an apparent attack. All you've gotta do to effectively DOS that
netsquid software package works well for this (Score:5, Informative)
We use netsquid, http://netsquid.tamu.edu/ [tamu.edu], which is essentially some code that ties into snort to provide automatic filtering by mac address and notification.
It works quite well.
Re:Is this really that hard? (Score:3, Insightful)
The problem with that, is that nobody should care whether or not you have virus protection -- the thing they should care about, is whether or not you run viruses (and that they are noisy viruses that create traffic on the network). If a user doesn't have a policy that running viruses is ok, then that user doesn't need virus protection. S
Re:Is this really that hard? (Score:5, Funny)
"1. Write short document stating that in 'reparation for virus damage' computers would occasionally be confiscated when they managed to infect multiple computers connected to the local network
2. Notify them of this agreement and make them sign it
3. When one of them has an infected machine that starts pinging the shit out of your network, give them a 'first warning'
4. Point to document in step 1 kindly, in writing, and create yourself an Ebay account.
5. Repeat
6. Profit and learn to laugh evilly."
Re:Is this really that hard? (Score:3, Funny)
Sure it's an option (Score:5, Informative)
Re: (Score:3, Interesting)
Re:Sure it's an option (Score:2, Insightful)
detect these ping attacks, network scans - and shut them off.
after it happens repeatedly, they might not learn.
if not, oh well, at least the other 98% of the students can continue to work unencumbered by the offending assholes that refuse to respect the network that they are only leasing while they're there. (read: they do not own the network no matter how much they pay)
Re:Sure it's an option (Score:5, Informative)
When connecting for the first time, they have to enter their university username and password so the IP address can be tied to their MAC address and the computer logged.
If their software detects viral traffic from their PC, they're automatically cut off from the net and a webpage comes up explaining why. They don't get re-connected until myself (or one of my colleagues) verifies they have virus scanning software installed and their PC is clean.
First few weeks of term there were a lot of people cut off, but virus infections now are next to nothing because everyone has the software running.
Apart from this, the internet connection here is extremely good. Fast and reliable, and no port blocking.
Re:Sure it's an option (Score:3, Funny)
Remember, this system is only to stop viruses. If they're clueful enough to run a spoofed MAC address, they probably have a clean system.
You do remind me of an older job I had. There was a print server in accounting that really liked to surf porn at night...
Re:Is this really that hard? (Score:5, Insightful)
His "need" is his problem, not yours. He should have thought about that, before he decided to engage in activity that threatened other people.
Fuck this whole "buy more filters" thing. Place the burden on the users, and then users who behave intelligently, won't have any burden. That is the fair thing to do.
Re:Is this really that hard? (Score:5, Informative)
My school has a very effective setup for controlling outbreaks. To start, the network is MAC filtered. Any time you connect to the network with an unlisted MAC address, your browser is redirected to a page containing the university Terms of Service for the network. You read this information, toss in your university ID and password and click I AGREE, and the program adds your MAC to the list.
As outlined in the TOS, there are no warnings. If your computer exibits any viral behavior, your network access is removed. Unless your virus was email-related, you still have access to the mail servers. When you try to use the internet again, you are once again taken to a limited page, which politely tells you that your computer appeared to be infected with a virus. You are given basic cleaning information, as well as the tech department phone number and email address in case you need help. They can also provide you with tools like AdAware, since you won't be able to download these yourself. Then, once you are confident your computer is clean, you call the tech department, and they run a quick check to see that your computer is no longer showing viral activity. At this point, your network access is returned.
There are no warnings. As soon as you cause a problem, the problem (you) is removed. Once you fix the problem, access is restored. I don't know their policy for repeat offenders, but I assume there is something.
Our solution (Score:3, Informative)
First of all, we have build a simple management system based around SNMPv3. You want this. Take a course in enterprise management or read up on it yourself. The day you stop writing scripts and use a management system instead is the day when you begin to come out on top of the problem. OpenWBEM can be a start if you want to know what can be do
Re:Is this really that hard? (Score:3, Insightful)
I have to agree.
The IT mantra should be: "Lack of planning on your part does not nessecarily constitute an emergancy on mine."
A better example though would be: Imagine, your car has a blown gasket spewing smoke all over the road and is barely moving under its own power, then add all 4 tires are flat further impeeding your movement. Would you keep driving it
Re:Is this really that hard? (Score:4, Interesting)
I fully support this policy - you decide to risk MY life on the roads, you pay the penalty. Can't get to work now that you've committed a crime and are doing the "time"? Well, hopefully you will realise how important having a license is to your life, and you won't ever drink/drive again. And also, be thankful you didn't injure or kill another road user, pedestrian or even yourself...
To segue this back onto topic, same rules should apply in this situation. You put others at risk or deny them access to the network due to your inability to load a freely available, well publicised and mandatory on the network you are using tool, then you do the "time". Access cut off and you can't work? Well, perhaps next time you will ensure the virus scanner and firewall software is running, you won't have the issue, and those around you are not impacted.
Re:Is this really that hard? (Score:5, Insightful)
To say that 'they have work that must be done' is ignoring the fact that the umpteen (insert hyperbolic number) other users ALSO have work to that must be done and in this case the good of the many out weighs the good of the few or one (damn, did I actually find a good excuse to use that line?).
Yes, by all means, research methods to contain and control any outbreaks to reduce the issue when they do occur; but in this case prevention is far, far, more effective than mitigation.
Re:Is this really that hard? (Score:3, Interesting)
Re:Is this really that hard? (Score:3, Informative)
The only way to keep a Windows computer safe is to install patches and virus protection software on the individual computers. Work *must* be done on the individual computers.
At my school, there were paid student techs that fixed stuff like that. These guys need someone who will walk from
It's just terms of service (Score:4, Insightful)
So what? Crap happens...virus ate your thesis, power went out, printer ran out of ink, blah blah blah. Thing is that if you are a responsible person you have contingencies in place to minimise or eliminate the impact of such incidents. If the work is important, you keep backups, spare ink cartriges, update your antivirus, OS, apps, etc...and most importantly you don't procrastinate to the point where you are in crisis mode. If you don't do all of the above then you should be prepared to follow Murphy's Law. If a mishap is unavoidable, you could be granted an extension.
Thing is, it is standard practice for net admins EVERYWHERE to pull the plug at their discretion should your computer be found to causing network disruption. Taht is a standard condition of almost all terms of service. My ISP would knock you off very quickly should they discover an open mail relay, ping flood or other unusual level of activity, and I pay extra for business-grade service. I agree with other posters here--this guy should put in some F/OSS tools to help manage these problems, and immediately terminate all network connectivity of infected machines ASAP.
"I have work to do" be damned. Seriously. Part of growing up and going to school is to learn--and people have to learn the consequences of their actions or inactions--that's life. You have to keep your house clean, pay your bills on time, obey the speed limit and traffic signals, etc. If you don't there are negative consequences. Same goes for PC use: ignoring the TOS, not updating your machine, downloading comet cursors and talking gorillas and chat icons and P2P warez is just inviting trouble. Users who repeatedly do those things despite warnings deserve no sympathy at all and should recieve all the wrath the BOFH can deliver.
Re:Is this really that hard? (Score:3, Insightful)
It's a tough call for h
No more access (Score:5, Interesting)
You are in control! (Score:2, Insightful)
Re:You are in control! (Score:2)
Re:You are in control! (Score:2, Insightful)
You know, RTFA is pretty commonly ignored, but I've never seen anyone not read the initial post. You sir, have set a new standard for stupidity.
Re:You are in control! (Score:2, Informative)
Definitely cut people off when they are infected until they are cleaned up.
Hit them in areas they care about and they'll start being more careful. Figure out where those motivational places are (disconnections, fines, losing IM privileges, etc.)
Post a policy that has escalating punishments for each subsequent time they are infected, particularly if it's obvious it's their fault. This could be a rising fine, or that you don't reconnect them as f
Re:You are in control! (Score:2, Informative)
Re:You are in control! (Score:2)
This is pretty sad - pretty much every college with residence hall networking has at least some sort of ResNet help desk. Considering that the school only pays 1/3 of the money for a workstudy student & can always find somebody willing to work for minimum wage, we're only talking about something on the order of a dollar per month per user to have an actual paid helpdes
Re:You are in control! (Score:4, Informative)
DOOOMMMMED (Score:4, Funny)
Re:DOOOMMMMED (Score:2)
Of course, a quick way to knock a problem user off the network is to assign their IP to another device. Set up a Linux/BSD box and start packing on the aliases +)
Re:DOOOMMMMED (Score:2)
chemical castration (Score:2, Interesting)
Simple. (Score:5, Funny)
Uncontrolled Viruses (Score:5, Funny)
Re:Uncontrolled Viruses (Score:3)
3 Strikes policy? (Score:5, Insightful)
That'll clean their acts up in a hurry, or at least make your life easy.
Re:3 Strikes policy? (Score:3, Funny)
Re:3 Strikes policy? (Score:5, Interesting)
Something like: first offence, 24hr ban; second offence, 7 day ban; 3rd offence, 1 month; 4th offence, one year and an email to all 500 with the photograph of the person who has been stuffing up their computers.
Once you've got people used to the idea they will be punished you can swap to something like the 3 strikes policy. But at first you're going to get idiots testing you, and so two warnings is too soft while a year-long ban is hellova hard for a first punishment.
There are alternatives of course. Install an 802.11g network in parallel with strict rules. Disobey them once and you get a stern warning, twice and you're banned for life from it. That way you'll naturally see people migrate to the network which 'works' without the fight with idiots.
Oh, I'm assuming this is targetted at teenagers at or near college level. If you're dealing with mature adults then it is much easier.
You are NOT punishing the wrong person. (Score:5, Insightful)
To use society's resources, you have to follow society's rules. I can go buy any car I want and drive it at 200 mph - on my own track. But if I want to drive on streets I have to follow the rules, as they apply to my actions (hitting things) even when they may not necessarily have a direct negative impact (speeding, driving on the sidewalks) have only a paper impact (licensing, insurance, registration) or only a preventative impact (headlights, brake lights...)
I can also go buy a used car and have the brakes suddenly fail, running over someone's garden. Note that even if I didn't know, I'm still responsible for the cost of that garden, (unless I JUST bought it and can pass the blame to the previous owner) If the brakes were recalled, it's still my fault for not getting them fixed. If they WEREN'T recalled, but should've been, then that's not my fault.
If you're already providing appropriate, simple, free, publicized resources _that they didn't use_ they are being negligent at best. Kicking them off until sometime after they fix it is a MINIMUM penalty for such negligence.
Argueably they should have to pay for the cost of your time to fix their computer (mandatory since they didn't do it the first time) and to repair any problems caused by their problem - and STILL be penalized in terms of being online.
(Personally I believe that a kick-until-fixed first warning is probably a necessary threshold of publicity - but even the second time they aren't listening I think it'd be very reasonable to escalate it.)
To be clear, I don't think it's reasonable in today's world to hold them accountable for anything their computer does. I think it's NECESSARY to hold them accountable for not following your security procedures to defend against it. Which means you're still going to be snuffed by the virus that exploits the OS hole noone has put out a patch for yet - and I wouldn't blame that on the first kid to get it.
I agree with the other posts - you have to get kick/ban/unplug authority, you have to quit, and/or you have to get paid. 1 of those might do...
Move out? (Score:5, Insightful)
Ban them (Score:5, Insightful)
Re:Ban them (Score:3, Insightful)
Serious now, I have been administering networks for about 15 years now (a lot less than many people on
Different audience (Score:3, Insightful)
Also my school used to require that students REGISTER their mac address in order to get access, and the switches / dhcp server would only allow registered macs in.
Easy fix. (Score:3, Interesting)
> similar problems?"
Easy. Disconnect them at the first sign of virus trouble. Don't let them back until they can prove they've fixed it.
When their fresh new computer lasts an hour on the network before you pull it down, they'll soon decide to fix it.
Re:Easy fix. -- NOT! (Score:3, Informative)
That's not an easy fix at all. Who are you kidding? If you had to spend less than 5 minutes a week with each computer that's already over a 40 hour work week right there -- and I doubt any solution is that quick. You're not understanding the numbers involved here -- and that's not including travel time, plus being able to meet then on their schedule. Ain't going to happen with student us
Re:Easy fix. -- NOT! (Score:3, Interesting)
Seems simple enough. (Score:5, Insightful)
A recent Poll... (Score:5, Funny)
solution (Score:2, Informative)
Wasting your time (Score:5, Insightful)
It really sounds like you're wasting your time.
You don't have control over the users, the machines, or the routers; so what the hell can you expect to do?
Sounds like the best option is to unplug the offending machines from the patch panel until they can demonstrate they are virus-free. Although that is likely not a viable solution if these are paying customers.
Re:Wasting your time (Score:5, Insightful)
It can be viable if the students had to sign an AUP from the campus IT department when they moved in (which I get the feeling is fairly common these days on major campuses). Worked at a place where they just turned off the switch port of offending machines, and then if the student wanted to get access back, they had to call in to the help desk and go through the process of setting up a schedule technician visit, which may be pretty far off depending on the time of year.
Was kinda hairy the first couple weeks of fall semester for the techs and the helpdesk (which will happen no matter what), but very few repeat offenders.
Stop volunteering (Score:5, Insightful)
Oh, and get your own DSL or cable modem.
Re:Stop volunteering (Score:3, Insightful)
As long as you keep "helping" people kinda-sorta fix the problem, the people who are actually in a position to fix it for real will keep putting off the pain of actually solving it.
Get your own $20/month DSL connection, refuse to answer any more questions, and go concentrate happily on your studies.
Simple. (Score:5, Insightful)
Students need to be kicked off the network until their computers are clean. If they are kicked off x times, they are off until they come to you and sign a form saying they understand how to keep their computer clean. y more time(s), they are off for the rest of the semester.
Simple, effective. You will need a couple decent switchs capable of shuting down ports ( or you could just yank the wire ).
If you don't have this level of power over the network, get rid of any access you do have. The higher ups only want a scape goat.
Re:Simple. (Score:3, Insightful)
Students need to be kicked off the network until their computers are clean. If they are kicked off x times, they are off until they come to you and sign a form saying they understand how to keep their computer clean. y more time(s), they are off for the rest of the semester.
Simple, effective. You will need a couple decent switchs capable of shuting down ports ( or you could just yank the wire ).
If you don't have this le
Re:Simple. (Score:2)
Agreed. Written and agreed to by the customers.
You can't kick people off of a network they're paying for unless you have it in writing that those are the consequences of an infected PC on the network., even though it's unfair to those with uninfected PCs
Sure you can. If there is no agreement in place, you c
Re:Simple. (Score:5, Insightful)
Here's an alternative to the "IF the administration will let you" part. Make use of the fact that nobody else really understands what it is the wizard (you) does behind the curtain:
Implement whatever service termination solution you feel necessary (whether by writing/downloading some automated system, or by doing it manually yourself). When the offender calls to complain, *don't* say that they were shut off administratively. Tell them that the massive traffic from their machine "overloaded" the port they were on (tell them it's kinda like a circuit breaker on house wiring).
They'll say that this never happened before. Tell them that they've got a newer, more-aggressive virus.
They'll ask that their port be "reset". Tell them that, due to all of the machines that they helped infect, and to the convoluted process for "resetting" a port, there's a backlog of a couple days before you can get their port reset.
Maybe they'll ask if you can just plug them into a different port. Tell them that they're all maxxed out.
At some point, Administration might ask why this is happening. Tell them the same thing you told the users... new, nastier viruses. They might ask what new equipment they could get to fix the problem. Tell them that the BFS-9000 can do it... but it's very... very expensive. It would be much cheaper for everyone to just use virus protection.
DHCP server is all you need. (Score:5, Informative)
When they come in complaining, babysit them at their computer.
wire clippers (Score:2)
Stage virus drills (Score:5, Insightful)
Send these out frequently. Soon they'll instinctually hit the DEL key when something with an attachment comes in.
MOD PARENT UP (Score:2)
"License agreement.
By clicking on this button I agree that I
blablabla blablablabla blablablabla blablablabla
blablabla blablablabla blablablabla blablablabla
blablabla blablablabla blabla agree to have my
computer suspended from the [insert network here]
for a week ablablabla blablabla blablablablabla
blabla blablablablabla blablabla blablablablabla
[I AGREE]
"
But frankly, I think setting up their network settings to have a "babysitter" firewall
Good steps... (Score:2, Informative)
So... you know your internal addresses. You know your external addresses. At the external firewall, block all packets going out that don't have a matching source address in the header. Most all virii nowadays use spoofed headers to
Removing infected computers from the network (Score:2)
1. Super Gluing an RJ-45 connector into their local network socket or into the socket on their network card.
2. Removing the infect item (hard drive) from their computer with a power saw.
3. Emptying a can of Raid into their (running) computer and tossing in a match.
4. Taking the infected machine to the roof of the dorms and tossing it over the edge to air it out a little.
5. A double-barreled 12 guage shotgun with double-ought buckshot should clear those virus ri
condition of participation (Score:2)
Users that participate on the network and yet cannot account for their computers' actions should be banned.
Default out: Virus/Malware scanners that can register with an isolated server the version and state of the user machine can participate. Until then, they are banned. Simple enough. I think some of the enterprise versions do just this.
In a DIY world...have users sign an agreement putting conditions of their connection to accounting for network usage. If you are caught with malicious payloads, you
Egress filtering (Score:5, Informative)
Strict policies on outgoing traffic for untrusted networks is essential.
I would suggest a default policy of something like www, ssh, msn/aim im, p2p programs (possibly, depending on the uni's rules and regulations).
Providing you have a mechanism for giving the students access to other ports when necessary, then there should be no problem enforcing a strict egress policy.
NetReg (Score:5, Informative)
With this you have all you need to run a NetReg [netreg.org] server within your infrastructure. With this you can allow users to register their machines automatically. Any user with a virus or other such malware gets their dhcp entry deleted, and they are on a private network that goes to where you define. I would allow antivirus sites, antispyware sites, and windowsupdate only (or better yet, a local mirror).
Have them send an e-mail to user@host once this is complete and you can re-activate their lease.
Re:NetReg (Score:5, Informative)
As to infected computers, I'm working on a Netreg extension that includes a "Your're infected" group. It's like being unregistered, but DNS forwards to a virus notification page.
You're being paid what for this??? (Score:3, Insightful)
You're doing this for free? I wouldn't even do this job for pay -- unless it was something like Bill G's salary. You will never educate kids who will click on anything that promises free porn, download and use every ad/spyware infested P2P program out there, and not think it's their fault because they can't be bothered to even update their anti-virus.
The system will be in trouble continuously because even if most were actually responsible users, it only takes a few irresponsible ones to mess it up for everyone, and it will always be your fault!
And if, pray tell, things actually do run perfectly for a few hours, or days, don't expect any thank you's from that ungrateful crowd.
And as you said, you're not even getting paid for this. Bet this means you have effectively No Authority to fix anything or punish anyone otherwise. Try to kick off a multiple repeat offender and guess whose ass ends up in a sling when they go whining to the university president.
Have fun!
Take them down, by MAC address (Score:2)
You could also try choking those ports down to dialup or slower speeds until they fix the issue, but something tells me they're not going to fix the source of the issue in any case.
Deja Vu (Score:2)
Easy money for them.
Block MS ports (Score:3, Informative)
Granted this doesn't solve the virus problem on the computer, but it sure does prevent it from taking down the rest of the network.
Firewall product (Score:2)
Be realistic about your users (Score:3, Insightful)
You're not looking at this realistically. The statement above betrays your frustration. You see the users as stereotypes of carelessness and stupidity.
So they buy faster computers when they get infected? And how often does your typical student buy a faster computer? Every day? Every week? I think not! Yet, how often do people get infected? From the way you describe the problem, it is quite often.
Users already have incentives to keep their computers virus free. Nobody likes getting a virus. It slows their computer down and makes it hard to use. They can't just run out and buy a new computer! Your harsh stereotyping is ignoring the reality of what students face.
So, the first step is to get a better understanding of the problem. Why not try talking to some users? Not just your techie friends, talk to the average person who knows only how to turn it on and run the few programs they use? I'll bet you'll find out that the real reason for the problem is not that people don't care, because they can just buy new computers! It is because they don't feel confident in their abilities to download, install and run the AV software, and to continue to use their computers with whatever small operational changes the AV software may impose.
I can't tell you for sure what the solution is, but the first step will be to understand the problem better. Resorting to stereotypes of users as malicious or uncaring is only going to take you farther from the solution.
Paging IT Department (Score:2, Interesting)
Well someone has control over the network infrastructure itself, and it's their job.
They have a Virus? CUT THEM OFF. (Score:3, Interesting)
Anything that damages the network as a whole must be blocked. Revoke their DHCP access, or something similar (I don't know how the network is routed, so I can't give a more detailed answer.)
When they learn to not get infected, then they can use the network again. It is that simple.
However, if you are in a position where you cannot do this (then I would walk away personally...) then look into using something like Hogwash [sourceforge.net] (Those guys need some devlopment help BTW (Hint Hint Slashdot community - Hogwash is a wicked project...))
Run a local DDoS to the idiots (Score:2)
Use the DHCP server as a reward (Score:3, Interesting)
I know (Score:2)
Get a deal for students who care... (Score:2)
See if you can get a deal on a router for each computer (close to cost). Students who install will probably get few if any viruses. At least you'll help those willing to do a bit of work (they'll probably also have virus scanners installed).
I agree with the other posts - users should have their network drop disconnected if their machine is spewing viruses. They can reconnect once their OS is installed, once th
Portsentry (Score:2)
Try to get an old Linux box and set it up as router. Then install PortSentry on the this router. Every virus will immidiately attack the router and portsentry will then cut it off.
A few ideas: (Score:2)
Once you have monitoring capabilities, you can get to work on responses. You have a few options, depending on the available resources:
-- Put up a public notice somewhere (on a webpage, network status screen, whatever) indicating that the current network outage is a result of Joe's ineptitude. (ie use peer pressure t
Rate limiting / throttling (Score:2)
On the other hand... you do have some responsibility for (cracking) att
A couple suggestions (Score:2)
If you live in Cisco land, and you have switch/router access, you can use "private vlans" to stick every client on its own
There's a slick product called Perfigo that was bought by Cisco that will put new clients on a 'quarantine' vlan while they get scanned by Nessus. Once it
There is an easy solution (Score:2)
Set up a kill bot. Let it search for unupdated computers, and then, taking advantage of old vulnerabilities, remove the machines from the network by writing over the hosts file or something. Make everybody sign that they understand about the bot's existence before they can connect to the network, and you're in the clear.
Define Your Goals FIRST! (Score:3, Insightful)
Of many possible technical & organizational approaches, which you employ depends on what is your goal.
1. If your goal is to be a nice guy who doesn't bother anyone and gets all your studying done, then the most practical technique is to quit volunteering.
2. If you're a music or poly sci major who is not really interested in network administration as a career ... then cut your losses ... this sort of volunteering isn't really helping.
3. But if your goal is to get out of college with something helpful to put on your resume, then treat this like a professional opportunity! Show that you can do a top-notch job of network adminstration by learning the techniques, putting in the time including the hard-nosed ejection of malefactors, and allowing for that time in your study schedule.
After all, when you get your diploma, how many of your competitors are going to be able to say, "I managed a 500-node network, achieving X% of whatever metric most impresses employers.Given the choice between someone who got all A's and someone who accomplished something useful while getting decent grades ... who would you hire?
Why does the network go down? (Score:5, Informative)
This is a *switched* network isn't it? Hopefully yes, and with a firewall also. I really can't see why someone would need inbound tcp/135,137,138,139,445,1025 or udp/135,1026-1029 nowadays. That would prevent malware that is not spread by email or Explorer. I won't recommend you dictate the browser or email client people use, but it's a possibility to have a outbound web proxy not forward any requests from IE.
You might also want to look into snort, you could at least have it alert you when the problem starts, or shut down ports, but sounds like you have not had much luck with that. Note rather than drop people off the face of the earth, at least make sure they can get to antivirus sites and microsoft updates. This is tough without access to the infrastructure but would improve things.
Another suggestion is if you do not have alot of room to room traffic, and you do not have a 100mb conenction to the net, configure all ports to 10mb. At least that way it takes more than 10 users to flood your 100mbit backbone. And users accessing the net are always throttled by your outbound connection so they won't know the difference.
I assume you volunteered for this because you like like this stuff. Note that if you *did* spend more time on this problem than your schoolwork, and came up with a solution, you might not even need to finish school.
"Banned this month"-list on a public blackboard (Score:3, Insightful)
Others will get aware of the issue too and might be more careful.
University of Waterloo Solution (Score:3, Informative)
When you get to residence, you sign a form that says you agree to monitor your computer, keep it clean of viruses, up to date with Windows update, et cetera. The terms are made very clear in it. No agreement, no use of the university network.
On your first offence (banned p2p, virus, anything like that), your network drop is disabled until you pay $25 (Canadian dollars; cue jokes about 2 cents USD) and sign a form acknowledging what you did wrong and that you will take action to avoid it in the future. In addition you have to clean up whatever triggered the disconnect in the first place.
Second offense? Disconnected for the rest of the term. That's the end of that.
Hope it helps!
Quarantine VLAN (Score:3, Interesting)
Then, use IPTABLES on the gateway to redirect any request on port 80 to a page that says, "You're infected--clean your system!" Maybe even provide them access to the tools necessary to clean their system via that same webpage.
Ok.... (Score:5, Insightful)
1. "It can't be done" crowd.
2. "Be tough about it" crowd.
3. "Go behind their backs" crowd.
and others....
How about this:
1. Get everyone's e-mail address so you can send all of them e-mail at the same time. How do you do that? Ask them to e-mail you - that's how. Of course, disinfect anything they send you because they probably will have a virus or two.
1a. How do you get all of them to send you the e-mail? Go buy some of those blank business card sheets (Avery I believe makes these), print up your message, get someone to help you break them apart, and then just tape them to each person's door. In this way you: 1)Don't have to talk to them, 2)Don't try to force them to do what they don't want to do, and 3)Can do it on your own time (like on a floor-by-floor basis). Cost: Probably about $10.00.
1b. Your message? It should be something like:
Dormitory SysAdmin needs your help!
We need your e-mail address as we
are trying to remove viruses and want
to be able to keep you informed. Thanks!
myemailaddress@thedorms.edu
1c. Put notices on doors leading into the dorm and/or bulletin boards also asking for e-mail addresses. If you can, have someone hand the things out to people as they come in and out of the dorms.
2. Set up a blog where everyone can meet and talk about problems. Use the e-mail addresses to send your notice out about the blog and how to access it.
3. Set up appointments with people to meet with them to show them how to protect their system from viruses, ads, cookies, and other problems.
Ok, let's say you've gotten some responses and want to start to go to other people's rooms to help them out. You want to:
4. Use the scheduler built in to every operating system currently in use (ie: Mac OS X, Windows98se and up, Linux, BSD, Solaris, etc...). For those OSs which are older (although I can't see anyone currently in college using an Apple ][+ or even Mac OS 9.x or earlier) download and bring with you some sort of a scheduler. (Even the Apple
4a. NOW! Here is the important thing! Set the virus/ad/cookie (or VAC for short) to AUTOMATICALLY e-mail you with the results. This too can be done via the scheduler. Give the automatically generated e-mail a special header (like [VIRUS|AD|COOKIE] REPORT FOR ROOM X). There are e-mailer programs for all operating systems which run from the command line. So just make a little batch program/shell script to create your report and e-mail it to you. Again, write it all down in the flyer you are going to give them so they don't freak when their system suddenly starts doing things (like checking for viruses or sending e-mail).
4b. Most virus software's report will read "VIRUS FOUND" and then tell you where and when the virus was found. Write yourself a short Perl/PHP/C/ script which will read these e-mails and sort out which one have viruses and which ones don't have them. Since you made the title have the room number on it - you automatically know who is having problems. So you can e-mail them back and set up a time to go over to fix any problems they might be having. Further, you can produce statistics on where the greatest problems are and post these fi
DHCP is more than enough (Score:3, Informative)
The most powerfull goal you have here is to segment your network.
You can do this strictly through the DHCP server by using several scopes.
Pass out the following IP's and give your main gateway multiple IP's, or have a machine act as proxy (with multiple gateway ip's for your lan's).
With enough segments, you can isolate problem PC's down to groups of ten or less depending on how you break up your private (or even public) ip's. This will make the majority of others users on your network unroutable to malicous virus's.
Just make sure your gateway (the one with all the .1 IP's for each segment) doesn't route traffic through itself to the other segments.
Gateway = 172.30.1.1, *.2.1, *.3.1, *.4.1, etc....
172.30.1.1 255.255.255.0
172.30.2.1 255.255.255.0
172.30.3.1 255.255.255.0
172.30.4.1 255.255.255.0
etc........
If you have a minimal budget, and your users dont need public IP's, you can buy a bunch of SOHO routers... for about 10-15$ a piece.... 300$ can get you 20 linksys's....
put 25 users on each linksys (with the WAN ports connected to your gateway).... and your users cant directly attack each other (except for the smaller networks behind the linksys's.
If your users have no need at all for direct access to each other... just set out your scope as 255.255.255.255.
192.168.1.1-255 / 255.255.255.255 gateway: 192.168.1.1
now you r users can only reach the gateway and themselves.
As to email virus's, with DHCP you can force traffic to move through any machine you like, and set up a proxy between your "real" router and the network.... that proxy can filter port 25.... looking for viral email.
These solutions arent perfect, but they will greatly slow down propagation across your network, allowing you to respond much faster to problem children without having one bad computer infect everyone else. --VISION
If all you've got is DHCP control..... (Score:3, Informative)
Make it clear in polite, simple terms what the users responsabilities are, what will happen if they don't keep their system clean, and why you have to take the action you do. Maybe put together a standard "so you fucked up your system and got kicked off the network" sheet. Educate as much as possible. Yes it feels like you're talking to a wall. But the users will either evolve (get sick of being off the net) or die (find other ways of getting their computering needs met.)
Some people have suggested Microsoft SUS. You need to be able to apply a group policy, or make registry changes on the remote machine. Since you're not inchage of the domain controller, this is a moot point. Also, SUS only works on XP and 2000, so it may not help all users.
Try Plan B (Score:3, Insightful)
Reading your article, I get the impression that you've tried appealing to both the users and the powers that be without much success. It seems obvious that whatever solution you decide to implement is going to involve a lot of your own time and effort. I suggest you make it worth your while. I don't know what is your particular area of study, but it probably wouldn't be too hard to come up with a way to get some credits for working on this problem. The IT connection is obvious. If you are LA you should be able to work in an angle in psychology, sociology, even some sort of human/technology interface thing for the sciences. Two or three independent study credits might go a long way toward mitigating your frustration. Don't give up if the obvious professors are not responsive - it shouldn't be too hard to find an LA professor delighted to sponsor a program solving a technical problem with a humanistic approach.
As far as method...I suggest you take your lead from the hacker/cracker community. Implement a Social Engineering attack. There are many fine examples of specific techniques to be found in the comments of this thread. I especially like the "scarlet V" approach. I suggest the following:
- "anyone who gets infected is a lamer old school twerp who is so behind the technology curve that they can't even stop high school script kiddies from using them like zombie flesh puppets"
- "allowing your owned machine to infect the local net is dissing everyone in the dorm - especially if you are too clueless to know how to prevent it"
- "you're getting played, you clueless dork, every time you click that stupid 'yes' button it's like bending over and dropping your drawers"
I'm sure you can do a much better job coming up with the proper approach. Just remember that establishing the proper attitude is key - even a few people is a good start. Then public humiliation and shame will work wonders. One advantage of this solution is it will stay with the users after they leave the influence of a network tech fix. Hey, maybe you'll change the world. At least it could help you get a little closer to graduating - and add some stretch to your resume. It might also help you get a little more respect from the powers that be when you slap down your independent study paper with the big, fat 'A' on the cover.
billy - who went to UT - volunteer is NOT a dirty word