Forgot your password?
typodupeerror
The Internet Operating Systems Software

Handling User Grown Machines on a Large Network? 611

Posted by Cliff
from the where-infections-run-rampant dept.
matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"
This discussion has been archived. No new comments can be posted.

Handling User Grown Machines on a Large Network?

Comments Filter:
  • forcefully (Score:3, Insightful)

    by OriginalSpaceMan (695146) on Saturday August 30, 2003 @12:42PM (#6833344) Homepage
    Force them to login to an Active Directory domain and hand out updates...
    • Re:forcefully (Score:5, Insightful)

      by bob670 (645306) on Saturday August 30, 2003 @12:46PM (#6833383)
      Then who supports them when the latest Windows update hoses thier machine? It happens less than it used to, but I have one client who lets auto updates run, and one patch in paticular (810577) has brought network browsing to a crawl. We have done literally hundreds of test and narrowed it down to this patch, but neith the knowledge base, user community nor a direct (and expensive call) to MS support can fix his issue. Now he has users screaming about slow network browses to files and folders, time outs hitting their home-brewed data base and his phone never stops ringing. Now mulitply that by the body of a college campus?

      You'll need something more reliable than Windows if your plan is to mandate that sort of thing.

      • Re:forcefully (Score:3, Interesting)

        by shokk (187512)
        As the systems admin who will test those patches in a test lab before rolling them out to people, you will make sure that will not happen if you valuie that paycheck. Blindly checking off security updates for addition to the network is studipity no matter what the platform, wther you use up2date or MS AutoUpdate. For MS systems, having a SUS server helps centralize this process since you check off what you authorize to get pushed to the network. Active Directory policies can enforce this. Those that don
        • Re:forcefully (Score:3, Insightful)

          by sg_oneill (159032)
          As the systems admin who will test those patches in a test lab before rolling them out to people, you will make sure that will not happen if you valuie that paycheck. Blindly checking off security updates for addition to the network is studipity no matter what the platform, wther you use up2date or MS AutoUpdate. For MS systems, having a SUS server helps centralize this process since you check off what you authorize to get pushed to the network. Active Directory policies can enforce this. Those that don't w
        • Re:forcefully (Score:3, Insightful)

          by bob670 (645306)
          That sounds great in most cases, and it works perfectly in a controlled network. But in a school where students can carry in machines, where they can carry them offsite and connect to other networks, and where they can blindly apply upadtes without any testing, what your saying is just a good idea that won't happen.

          My client with the network browse issue won't listen to my advice about setting up a testbed for each model machine he has (which he can easliy afford, and he does have spare machines) or at le

      • Re:forcefully (Score:3, Informative)

        by Anonymous Coward
        Software update service (SUS) - MS website

        Basically it Windows update server that you run yourself, you can approve which update it allows clients to download.

        check it out.
      • by msobkow (48369)

        It's amazing how many students seem to have wiring problems after they crash the local nets on certain campuses. I just wish the same approach could be applied to home users.

        Many of the worms and viruses that bog the net have had patches for months or even years. I say if the patch was out three months ago, cut the user off at their ISP -- permanently.

        You can't drive without a license -- if you can't update, you don't know how to "drive" the internet. And no, I really don't care about the "rights" o

    • Re:forcefully (Score:5, Insightful)

      by Samari711 (521187) on Saturday August 30, 2003 @01:04PM (#6833530)
      what about the seniors who are still running 98. then you also end up slowing down student machines and you get a bunch of unhappy students. micromanaging a few thousand computers who's specs are all over the board will cause more headaches than it solves
      • Re:forcefully (Score:3, Interesting)

        by knghtrider (685985)

        That's when you set forth the rules.

        Windows 2000/XP only, if it's a Windows environment, or MAC otherwise. Any machines found online that violate the policy will be denied access, and the violaters fined.

        I know of a couple of small colleges that are MAC only; they don't support Windows machines of any kind. To ensure this, you buy the computer when you start your term--it's part of your tuition and fees. This way, no one brings in anything unauthorized from home.

  • responsibility (Score:4, Interesting)

    by NetMagi (547135) on Saturday August 30, 2003 @12:43PM (#6833357)
    You can only separate networks so much.

    If you make them bear some financial responsibility for not checking their machines first this might help.
    • Re:responsibility (Score:5, Insightful)

      by gykh (625487) on Saturday August 30, 2003 @01:00PM (#6833507) Journal
      If you make them bear some financial responsibility for not checking their machines first this might help.
      Are you sure about that? What are you going to fine for? Not having a secure enough computer? Everyone (i.e. /.) knows security holes appear every week, major ones every 4 months or so. Do you fine someone who just reinstalled windows and was just logging on to download patches and got hit? For getting a virus? How about we tax stupidity next?

      Students go to university to learn and give back some knowledge, not to constantly maintain their tools.
      • by Durandal64 (658649) on Saturday August 30, 2003 @01:28PM (#6833708)
        How about we tax stupidity next?
        We do. It's called the lottery.
        • by JaredOfEuropa (526365) on Saturday August 30, 2003 @03:03PM (#6834243) Journal
          You never played the lottery? Let me ask you another question.

          Do you have any kind of insurance?

          But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.

          I know I know, it's just a joke. Well, I just had to get this off my chest.
          • by HardCase (14757) on Saturday August 30, 2003 @03:39PM (#6834435)
            But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.


            Yes, but the key difference between insurance and the lottery is that the dangers that you purchase insurance protection for are real and have a statistically significant chance of occuring to you. The lottery ticket that you buy provides you with a statistically insignificant chance to win a pile of money.


            I agree that I would be pretty darn happy to have the winning ticket or an insurance policy if either one paid off, but my chances of needing the insurance are significantly greater (by orders of magnitude) than are my chances of winning the PowerBall.


            That doesn't even consider the different insurances that we are required to have by law or by contract. Get pulled over by the police without liability insurance and see what happens. Try to get a mortgage on a house without homeowner's insurance. How about getting a bank to finance a car without comprehensive and collision coverage? They require that coverage, not because the chances of needing them are greater than zero but because the chances of needing them are significantly greater than zero.


            Just food for thought, the Department of Transportation says that about 20 million vehicles are involved in accidents each year and an individual driver can expect to be in one, on the average, every six years. So, if I pay my $40 per month in liability insurance on my car, in 72 months I'll have paid $2880.00. Earlier this year, my wife got hit by a car in a low speed collision. After the medical bills, repair bills and rental car bills were paid, the grand total came out to be about $8000.00. Now, our insurance didn't pay, but you can bet that the other driver was damn glad to have a liability insurance policy.


            -h-

      • Re:responsibility (Score:3, Interesting)

        by jovlinger (55075)
        Most virii spread through user stupidity ("click on this executable" -- how many times will people fall for this?). So hold them accountable for virii they spread.

        Schnier (sp) has been singing this song (from a corporate standpoint) for a while: the only way M$ will secure their products, and the only way companies will think about secure networks will be if they are held accountable for damage they cause.

        He argues that security will be forced not by laws, but by insurance premiums. You (big corporation)
    • Public humiliation (Score:5, Interesting)

      by Aceticon (140883) on Saturday August 30, 2003 @01:17PM (#6833636)
      Forget about financial responsability. There is a simple, 2 part solution:
      1. Make available and easily accessible in your intranet the resources to keep their systems up-to-date and virus free - patches, Anti-virus, personal firewalls
      2. Publish in the most visibile place in the dorm buildings weekly compilations with the names of the "Most inept computer users in this dorm". Maybe you can spice it up with an introductory text that gives the impression that when you're saying "most inept" you actually mean "dumb as a door-knob"


      Naturally, if you're the BOFH type of network admin you can skip the first part ...
      • Maybe you can spice it up with an introductory text that gives the impression that when you're saying "most inept" you actually mean "dumb as a door-knob"

        You could have a comparitive scale down the side, comparing the most inept to 'brick', ranging through 'hammer' and 'cabbage' with the cleverest compared to, say, '$10 digital watch'. You could have little iconic pictures on the scale to give it some colour.

        Just my $0.02,

        Michael
      • by RandomCoil (88441)

        Publish in the most visibile place in the dorm buildings weekly compilations with the names of the "Most inept computer users in this dorm". Maybe you can spice it up with an introductory text that gives the impression that when you're saying "most inept" you actually mean "dumb as a door-knob"

        I don't think that's going to have the effect you're looking for. The board is going to filled with a weird combination of the wholly computer illiterate (who could care less about their picture being up on some wa

      • attn: geeks (Score:3, Funny)

        by Barbarian (9467)
        These girls need help with their computers.
  • Simple... (Score:5, Funny)

    by woodchip (611770) on Saturday August 30, 2003 @12:43PM (#6833358)
    just ban users from your network.
    • Re:Simple... (Score:5, Interesting)

      by carpe_noctem (457178) on Saturday August 30, 2003 @02:47PM (#6834156) Homepage Journal
      I know the parent was meant to be funny, but believe it or not, that's what my school did. They unregistered all cards [rose-hulman.edu] from their DHCP database and are requiring everyone to re-register on condition of passing a brief virus scan to get back on the network. Our network is set up to disallow external routing for any not-registered machines.

      I guess that's what they get for forcing everyone to migrate to XP last year...
      • Re:Simple... (Score:3, Interesting)

        by muon1183 (587316)
        A slightly less draconian measure which my school has taken is, upon detecting virus activity from a given computer on the network, it is removed from the DHCP database and kicked from the network. The owner of the computer is then notified that their computer is infected with a virus and not allowed to reconnect to the network until they have demonstrated the problem is fixed. One should note that our network has on the order of 50,000 computers attached to it, so this is definetely a scriptable solution.
    • Actually (Score:4, Informative)

      by KalvinB (205500) on Saturday August 30, 2003 @04:44PM (#6834783) Homepage
      at my University, they've started to do that. If your machine is spitting out garbage they kill your connection and call (e-mail) whoever is responsible for maintaing the system and notify them that they need to get the problem fixed before their IP will become active again.

      We havn't done it in our lab (there are multiple on campus) yet as there's no impending doom if we don't, but we're looking to secure our work area with a router that blocks all ports and then use 192.168.0.* IPs behind it. Which allows us to fresh install Windows or whatever and not have to worry about getting infected before we can get them up to date.

      It'd be trivial for a University to setup such an area and if a user is trouble, kill their connection and call them and tell them to bring down their system to the secured lab to be patched and fixed.

      My home network which has every flavor of Windows running was completely unaffected by the Blaster worm simply because I run a router intelligently.

      It's really not that hard to not get infected.

      Ben
    • Re:Simple... (Score:5, Insightful)

      by mistermund (605799) on Saturday August 30, 2003 @08:28PM (#6835700)
      At Carnegie Mellon, unregistered boxes are automatically routed to a web page that allows them to do temporary or permanent registration based based on MAC address. Once you register, your machine can access the network and DHCP. This allows for easy monitoring, notification, and disconnection of zombies.

      It's called AuthBridge [cmu.edu] and runs on a Linux machine with ethernet bridging and real time packet filtering based on the MAC address. See the link for technical descriptions, diagrams, and further details.

      Seems to work quite seamlessly as an end user, IMHO.
  • Domain logons (Score:5, Informative)

    by kevin_conaway (585204) on Saturday August 30, 2003 @12:43PM (#6833360) Homepage
    At my university, at least for the public machines, when you logon to the domain, a script executes that automatically patches your machine and runs fixblast and fixwelch. you might want to investigate into something like that
    • Don't forget, if you use this solution, to give users notice that you will install patches on their system, and make them accept this. If not, you could face serious legal issues.
    • Great idea, but... (Score:5, Interesting)

      by aetherspoon (72997) on Saturday August 30, 2003 @12:54PM (#6833448) Homepage
      ... when you go to a university where you do not log on to a domain in dorms.
      I've found that to be very common (including the Uni that I'm typing this at) since it is MUCH easier to set freshman up on movein day.
      Also, certain things do not work when you start logging onto domains. Example: XP's fast user switching. You'd have students complaining about the administration restricting their rights to their own computer, blah blah blah... then on top of it, automatically patching something. Legal nightmare. Works great for lab PCs, horrid for dorm PCs.
    • Re:Domain logons (Score:5, Interesting)

      by Spy Hunter (317220) on Saturday August 30, 2003 @01:12PM (#6833601) Journal
      I think that this is the perfect environment for an anti-worm. If the spread of such a worm was limited to the college's netblock, it could be easily controlled (luckily computer viruses don't spontaneously mutate) and it could be set to download all needed patches from a campus server, and destroy itself on command from the same server. Something like this could also be worthwhile on corporate networks. Why haven't antivirus companies caught on to this? They could sell customized anti-worms to small-to-medium size network owners. The problems of releasing an anti-worm on the Internet at large don't apply to smaller networks. You can get the permission of all the network admins before releasing the worm, and a central server can be used to control the infection, keeping track of which computers are patched and shutting down the worm when it has done its job.
      • Quickly! Someone establish solid prior art before some company patents it and starts charging licensing fees to virus writers!
      • I think that this is the perfect environment for an anti-worm. If the spread of such a worm was limited to the college's netblock, it could be easily controlled (luckily computer viruses don't spontaneously mutate) and it could be set to download all needed patches from a campus server, and destroy itself on command from the same server. Something like this could also be worthwhile on corporate networks. Why haven't antivirus companies caught on to this?

        Once the machine is owned by a virus, patching it an
      • Re:Domain logons (Score:3, Insightful)

        by slamb (119285)
        I think that this is the perfect environment for an anti-worm. If the spread of such a worm was limited to the college's netblock, it could be easily controlled (luckily computer viruses don't spontaneously mutate) and it could be set to download all needed patches from a campus server, and destroy itself on command from the same server

        A worm has a bunch of properties that aren't desirable here:

        • every machine probes all the others - this slows down the network, as we've all seen. Centralized machines w
  • Ban 'em (Score:5, Insightful)

    by larien (5608) on Saturday August 30, 2003 @12:43PM (#6833362) Homepage Journal
    If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.
    • i bet this works great with 20000 users. or not :(
    • Re:Ban 'em (Score:4, Interesting)

      by jaxdahl (227487) on Saturday August 30, 2003 @01:45PM (#6833798)
      here at Oklahoma State University, the IT department gave all the RAs in all the dorms and apartments a fix-it CD, all users must run the software on the CD regardless of whether they don't think they have msblast/sobig, etc.
    • If your network hasn't been infected yet you can be more proactive by scanning for vulnerable Windows machines instead of for Blaster traffic. Use Nessus or Eeye's free RPC scanner. Then ban any vulnerable machines. This should be done in addition to and not instead of scanning for Blaster because the "good" Blaster will download and install the RPC patch.
  • Possible solution (Score:5, Informative)

    by Phleg (523632) * <stephen@@@touset...org> on Saturday August 30, 2003 @12:43PM (#6833363)
    Do some intrusion detection on the network--possibly through Snort. If any machine is spamming out MSBlast messages or Sobig emails, drop their connection via MAC address and refuse to give them another DHCP lease. Then, when the person comes in to complain, let them know their computer was infected and flooding the network, and give them a floppy with the proper security patch on it.

    It might be a bit annoying to automate the process (except for handing out floppies) at first, but it seems like it could significantly help, while at the same time educating users to update their patches.
  • by gsperling (625206) <slashdot&glsrms,com> on Saturday August 30, 2003 @12:43PM (#6833367)
    ...tell students at registration that Windows machines are not allowed on the network, and that they must install Linux. This will not only clean up your network problems, but it will also give the students a sense of doing the right thing for their computers. Along with their free condoms, give 'em free Linux CDs.
    • by Phleg (523632) * <stephen@@@touset...org> on Saturday August 30, 2003 @12:47PM (#6833394)
      Because I'm sure that they'd far rather spend sixty times the amount of support costs trying to get users acquainted with Linux, rather than have their network flooded with virii every now and then.

      Now don't get me wrong--I'm just as much a die-hard Linux advocate as anyone, but it's just not feasible to tell every kid on a college campus to suddenly switch operating systems. They're going to need to figure out how, and you're going to be the ones to tell them. This is going to send your costs through the roof.

      He's trying to solve problems for his university, not create new ones.
      • Re:You could just... (Score:5, Interesting)

        by Jon Abbott (723) on Saturday August 30, 2003 @02:27PM (#6834031) Homepage
        Case in point -- back in 2000, even though I had about four years Linux experience by then, I managed to bring down Internet access for an entire dorm (about 900 students) for a week.

        It all started when I helped a friend install Linux on his new computer. Unfortunately, in addition to installing a DHCP client on his machine, I had accidentally flagged the DHCP server to install as well. What happened was that the DHCP server software on his new Linux box was challenging the Windows DHCP server that the dorm was using, and his machine won -- even though his DHCP server wasn't properly configured to hand out IP addresses to other clients. So, all of these other 900 students would turn on their computers, which would send out a DHCP request, and they would get a response from his computer instead of the real DHCP server, thus causing their computers to give up trying to connect to the network. Ironically enough, his computer connected to the internet fine, as it was the only one connecting to the real DHCP server (I guess that explains his super-fast connection during that week).

        Anyway, we had no idea that any of this was happening until we headed back to his dorm room one day, and found three network services guys looking in bewilderment at the computer (they had never used anything but Windows, so they had no idea how to fix it). They claimed that it took them a week to isolate the problem to his machine. They explained what was happening, and it then hit me that the DHCP server was also running on his machine, so I logged in, apt-get removed it, and the problem was immediately fixed. Not in their eyes though, as they made us talk to the head guy at network services... He gave us fair warning that if we did that again, our access to the network would be revoked (and rightly so!).

        The obvious moral of the story is, whereas most OSes give you just enough rope to tie a knot, Linux gives you enough rope to hang about 900 people. :^)
    • by YOU ARE SO FIRED! (635925) on Saturday August 30, 2003 @12:49PM (#6833414) Journal
      "Along with their free condoms, give 'em free Linux CDs."

      "Here. You'll never use this first item if you choose to use the second item. Have fun, and welcome to college."

      You are sooooo fired.
    • Riiight...Let's not let personal bias get in the way of answering the guy's question, shall we?

      As things stand today, the school's administrators would have to be certifiably insane to try something like that...Maybe in a controlled work environment you could get away with it, but not at a college- it'd be a toss-up between the tech support guys or angry students getting to kill you first.
    • You must be a steenking commie to even think of such a thing!

      That it would help solve the problem, educate students a bit - probably leaving them far closer to computer literacy than anything else they'll do in college ... Thats all irrelevant. You are proposing something that is clearly unamerican, anti-capitalist, communistic, anarchistic, anti-christian, and so on.

      I'd love to see it done.


    • Along with their free condoms, give 'em free Linux CDs.

      Dude... you gotta follow the rules. It's ( condoms XOR Linux ).
  • by TheWart (700842) on Saturday August 30, 2003 @12:44PM (#6833370)
    Here at my school, for the last week, starting about a day before freshman move in, they have had flyers *everyewhere* telling people not to hook up the network until they install this patch provided by the IT dept. Of course, there are still the bozo's that don't pay heed to the warnings....but there are lots of them in the world anyways.
  • one way. (Score:5, Informative)

    by grub (11606) <slashdot@grub.net> on Saturday August 30, 2003 @12:44PM (#6833371) Homepage Journal

    Ensure that home machines (ones that you haven't configured) get IPs in a VLAN group which you've bandwidth throttled on the routers/switches along the say so the rest of the VLANs don't get choked by home-grown disasters.

    Machines you have control over can get IPs in another VLAN which isn't throttled, or at least not as much as your "uncontrollable" VLAN. At the router where the VLANs can meet have strong ACLs and traffic flow control.

    Just because you give them access with their own machines doesn't mean you have to give them unrestrained access.
    • VPN isolation (Score:3, Interesting)

      by xixax (44677)
      I just saw a presentation on a campus-wide wireless network.

      Because you cannot control who uses the wireless zone, it's treated as potentially hostile or untrusted and users must authenticate to a VPN.

      A nice side-effect of this is that the VPN in Windows routes all traffic via the VPN, letting them apply all sorts of policies "port 4444, I don't think so...". Blaster only affected users silly enough to bring in an infected machine.

      Perhaps a similar setup for the untrusted wired network too?
  • managed switches (Score:5, Informative)

    by Feyr (449684) * on Saturday August 30, 2003 @12:45PM (#6833374) Journal
    assuming your network is switched, and your switch are "manageables" (ie you can log in them remotely)

    you could have an IDS (or similar) with a rule looking for specific attacks (ie blaster). when you detect such an attack, fire off a script that shuts down the user's port on the switch. they'll bitch and moan that they can't access the net but you'll know who they are now and charge them a cleanup fee (make sure to include it in the terms of use)

    another solution is to require anyone bringing a computer from home to have it inspected by your techs, block access based on mac address and only give them access once they passed the test. it does require more ressources tho, and ideally you'd still need the first option (in case where someone reinstall windows)
  • Time to diversify so that the target infestation isn't as large. But you can't tell people what OS to run, so as for protecting the network, not allowing email attachments is pretty harsh to some people, but I think it's what will need to be done in the long run.

    Email should be used for communication, not for transfering files.

    CB
    • Email should be used for communication, not for transfering files.

      The problem with prohibiting email attachments is that this essentially pushes students in the direction of running servers on their personal computers in order to transfer files. This would be a much larger security hole.

      If they're running Windows, they're likely to use the servers that come with the OS (http or ftp), which have much worse greater potential security holes than the email reader.

  • by eaglesnax (238705) on Saturday August 30, 2003 @12:45PM (#6833379)
    I think this was one of the approaches Stanford was going to take. No DNS for your machine until you get it checked out by their IT department.

    Chris
  • fix packets (Score:2, Informative)

    by zumbojo (615389)
    I work as a tech for a major midwestern university. Aside from offering a website with complete instructions, we published packets bundled with CDs that guide the students visually through the process of fixing Blaster and Welchia and installing Norton AntiVirus. With so many pictures in the guide we have yet to have anyone mess it up.
  • by aetherspoon (72997) on Saturday August 30, 2003 @12:47PM (#6833396) Homepage
    ... from another point of view.

    I'm a student at a university whose dorm network got nailed by blaster something fierce. Almost as bad as it was Klezed a couple years before. Anyways, because of all of this, the sys admins decided to completely eliminate the dorm network from the upper campus one - also cutting off 'net access - during school hours. This is a real big pain in the butt, and I'm actually hoping there are some great answers in this topic so I can give them to my sys admin.

    Of course, compounding the situation are seemingly (dunno if they actually are or not considering I've never even SEEN one before) incompetant dorm techs taking an entire day to clear out just one dorm building of ~50 rooms (2 people per room, but often less than 2 PCs per room...). Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

    I'm just annoyed because my room (along with my entire hall since I'm the resident 'hey, call him!' computer geek and have patched everyone) is completely free of blaster and its ilk, yet I have to deal with the people who either don't know to patch Windows often, or don't care.

    How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?
    • How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?

      Write your own exploit of the vulnerabilities that patches them, and force feed it to any computer spamming you with virus-born packets ;)

    • Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

      unfortunately not -- updating random systems is harder that it seems. When we got hit at our university i helped out cleaning a bunch of systems and I couldn't believe how long it took -- Win2k installs had to have Service Pack 4 installed before you could apply the security patch for the worm, other dependancies changed because of that, had to in
    • Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

      50 computers over 8 hours = 9.6 minutes per computer, average. This time includes knocking on doors, explanations, going back to get rooms which were closed for some reason, booting up computers and rebooting them, loading the patches on to the machine and installing them, and all the regular crap that goes with handling 50 different computers

    • The guy I share a bathroom with at NAU got the blaster worm before coming here, then called on me, the resident geek to fix it. It took roughly five hours to talk him through using a virus scanner, and then talking him through the fix. I finally gave up and refered him to the IT people.

      I know for Lovsan our school links you, before network registration, to a page with the fix. Then if you get infected they kill your access. Then send up a tech. Sad thing is the average user can't even figure out how t
  • At my school they've got monitoring software setup. If you're infected, you're dropped off the network. At the switch, no questions asked. If and when the student contacts the help desk as to why thier computer doesn't work on the network they're informed they're infected and told to bring thier machine down to have the patches applied.
    • Re:My Uni's policy (Score:2, Informative)

      by poj (51794)
      This is actually a very good idea. You block offenders in the switch. My school has done the same during this blaster episode, and I believe it has worked very well. Of course it helped that blaster came active before the start of the autumn term, because not all students had come here after the summer.

      And of course, block the right incoming traffic in the border routers.
  • Oh yes I do - TESTIFY! What's more, how can you even begin to troubleshoot an issue when you can't read Korean or Japanese (I work for an international school)?

    There are no easy answers. Fortunately, I work in a small school, so I take the time to try and do updates on each machine when they come in. We run adaware on each, and then install the network version of Sophos so they are protected from viruses.

    From that point, we have to hope that the firewall filters do their job in keeping out the junk, but i
  • by N8F8 (4562) on Saturday August 30, 2003 @12:50PM (#6833415)
    1. Block POP3 and SMTP access.
    2. Block trojan ports.
    3. Provide webmail access. (Even allow them to connect to their own email accounts elsewhere)
    Outlook and Outlook Express are the two largest vectors for virii.
  • DHCP tricks (Score:5, Funny)

    by TheSHAD0W (258774) on Saturday August 30, 2003 @12:50PM (#6833420) Homepage
    You ought to be able to tweak your DHCP so you can block machines that are broadcasting this badly by telling them their default gateway is localhost.
  • by b17bmbr (608864) on Saturday August 30, 2003 @12:50PM (#6833425)
    Chapter 2 Personal Computers
    No personal computers will be allowed unless they are running Linux, FreeBSD, OS X, or another variety of *nix. If you are bringing a PC, please see the installtion CD in the back of the Freshman orientation handbook. For installation instructions, find the guy in your dorm with long hair, glasses, birkenstocks, and a penguin on his shirt. For payment, beer will usually do. Or, if you are under 21, and can't find someone to buy for you, perhaps a bag of Starbucks will suffice. However, if you are a female, just acknowleging him at least once during the semester, when you are with your friends will be plenty.
  • Post lists (Score:5, Funny)

    by Maxwell'sSilverLART (596756) on Saturday August 30, 2003 @12:51PM (#6833433) Homepage

    Assuming you can identify the port from which the infected traffic is coming, post a list of all infected rooms on the front door of the dorms, with an explanation that "these computers are causing your network to suck."

    The problem will be fixed.

    • Re:Post lists (Score:3, Insightful)

      by wik (10258)
      This works until you find a smart-ass who TRIES to get to the top of this list. It's a status symbol in some sick and twisted world. Remember, you're dealing with geeks here...
  • Seeing as in this situation you wont be able to convince your students to switch:

    1) Require all machines to register their mac address via nice gui or website. This way when you use all the rest of the stuff mentioned here (snort, etc) you can easily track the student down.

    2) Run snort, router, acls, etc in a way to automatically blocks infected users. Or at the very least it should at least alert you of them. But blocking is best so that they dont spread the infection further on your network or to the
  • Good question (Score:3, Interesting)

    by RobinH (124750) on Saturday August 30, 2003 @12:54PM (#6833449) Homepage
    I hadn't thought of this implication. Unfortunately, it's not feasible to force the users to do anything in this kind of situation - that would be an administrator's nightmare.

    I'm assuming you have each computer connected to a central switch, right? What I would do is block all communication between the PCs on the network. Allow each one to get out to the internet through the firewall, but block them from connecting to each other. That would give them the ability to browse the web, check email, instant message, etc., without needing to worry about them setting up servers, file sharing, and trading viruses, etc., between each other. It's heavy handed, but at least you're still providing the service you're supposed to (internet connectivity).

    Just a thought. I'm not completely sure this is even feasible with a switch, but I would think so.
    • What do you think happens when *each* and everyone of them goes on KaZaA because they can't share anything? Not to mention how they'll whine about how they can't cooperate because no one can access the others' files (short of sending project documents back and forth via email or something).

      I don't think that thought it so well thought out....

      Kjella
  • by skroz (7870) on Saturday August 30, 2003 @12:56PM (#6833464) Homepage
    We have an incident response team that locates each individual infected host, then identifies the primary user of that machine. If they're unavailable, we install the patch and leave a message that they should come by our offices as soon as possible.

    Once the patch has been applied, we sit down with the user and assure them that they're not in trouble; everyone makes a mistake from time to time, and we have simple and effective means of dealing with the problem. Once they're calmed down and convinced that we're not upset with them, we wish them a good day and send them on their way.

    When they turn their backs, we shoot them in the back of the head and put their bodies on display in the courtyard as an example to the rest of the imbiciles that might practice unsafe computing.
  • by acehole (174372) on Saturday August 30, 2003 @12:59PM (#6833499) Homepage
    When the blaster worm hit, we had to work for a few days to clear the thing from the staff network.

    Now that we well and truly cleared it after much scanning to make sure, we've moved on to the on-campus student's network.

    We have to physically go to each room, patch and scan to remove both blaster and welchier.

    It's both an annoyance for us and the students who pretty much treat us like unwanted guests on their pcs.
  • My old ISP put their "setup" on a CD for ease of installation. just simple scripts that created detected the modem, configured DNS, and (here's the relevant part) set the IE homepage to www.isp.com.

    Bulk out a CD with the nessicary information and distribute them to the dorms. As part of the setup, point IE or netscape to someplace like http://housecall.trendmicro.com, or set up your own remote AV scanner. Make a completed scan part of the setup. If a machine doesn't do a complete scan, it doesn't get netwo
  • Tell them they will be disconnected if they let themselves be infected. Unplug them from the switch if they are.

    Provide everything needed to repair and secure computers on CD, so people can upgrade before they plug in and repair without being connected. Include detailed instructions.
  • Two ways of accomplishing this which I like. First Having students register their computers (yes it sets a burden on the IT dept) and running a small application that transfers the Mac address of the system to a central database.

    Yes, so maybe it's a bit paranoid, but statically assigning DHCP based upon mac address is an easy enough way to keep *most* non-technical (virus laden) people off the (IP) network.

    It also allows for a degree of control (umm... no your toaster oven can't be on the network.) Etc.
  • I would make part of the requirement of bringing in a computer be that they have to take it into a local computer shop and have their computer thoroughly inspected for viruses/malware/spyware etc... and require them to have that company sign-off on the computer. This will allow a strict anti-virus and anti-spy policy to be enforced at a level where you don't have to waste all of your time explaining what to do at someone who has little respect for you. Also, you should know that a lot of spyware etc out t
  • First, require PPPoE. I know it sounds terrible, but in the long run it will save you problems (because you'll be able to trace network issues not only back to a port, not only to a MAC address, but back to a student record). That should solve the "they've already put an infected device on the network" problem.

    For the "something else," you have to get creative. I know I'm probably overlooking some well-devised currently existing system, but if you created a system whereby the PPPoE client would not funct
  • Inspection (Score:5, Interesting)

    by DaHat (247651) on Saturday August 30, 2003 @01:09PM (#6833566) Homepage
    For years, the last thing the admins at my university wanted to do was inspect each computer before it was permitted to be on the network. This year they have broken down and are doing so, to be connected (wired or wirelessly) one of their employees must inspect the computer and make sure that they are not only completely patched, but also that they are running antiviral software (Norton ONLY).

    This is of course great in theory, until a week later when someone formats, 'forgets' to patch, brings their computer home, gets re-infected and comes back to school.

    Until patches become mandatory for many of these users, there is no way to prevent such a thing... short of finding the virus writers and skinning them alive during prime time, that might make some of these script kiddies think twice before doing what they do.
  • Here is what we do (Score:5, Interesting)

    by Anonymous Coward on Saturday August 30, 2003 @01:15PM (#6833620)
    In our residence halls, we have about 7500 people. What we have done is make a series of VLANs, centrally administered by VMPS. We have the regular VLAN for a building's users, a quarantine VLAN, and a blackhole VLAN. As we detect users that are infected, we move them to the quarantine VLAN where we have colocated a quarantine webserver via an 802.1q trunk. This server provides them with all the patches, av software and latest DATs. Once installed, the resident "signs" with their campus ID to verify that they have installed the various fixes, and they are moved back. If someone languishes in the quarantine VLAN for too long, we move them to the blackhole VLAN (which is essentially a defined VLAN that isn't trunked anywhere so VMPS can still legally place them there).

    This segmentation has helped dramatically. At one point, we were blocking nearly 800,000 icmp echo requests outbound/sec across all interfaces. Now? around 1k/sec. And that's over the last week.

    Now if I could just get past the residents who:
    1. Don't fix themselves because it was too much to read.
    2. Don't know how to use a web browser
    3. Don't know what a scroll bar is (!!!)
    4. Don't contact us for help, but instead go to the President and Provost's offices.

    Hang in there, segmentation helps dramatically.
  • by Durandal64 (658649) on Saturday August 30, 2003 @01:22PM (#6833667)
    Basically what we've done is burn a shitload of CD's with the Blaster patch on them, given them out to people with the worm and then encouraged them to distribute the CD's to their friends. We've also given those CD's to our local residential hall tech support people (the ones who actually go to the person's room and fix whatever problem; they are assigned by dorm).

    Recently, we've begun deactivated the ports of people who we've been able to trace the worm back to, having them call us, pick up the CD, install the patch and then having an RCC verify that the patch is installed before reactivating their ports. We've also closed off the ports that the worm is known to propagate through. We've still taken damage as a result of it, but I think we've managed to minimize it somewhat. In the meantime, I've been trying to convince the Mac users I support that they're not at risk. If you say, "impossible" enough times in a row, they start believing you. :)
  • My college [earlham.edu], in response to Blaster, Nachi, etc., recently told students to download a copy of Vexira Anti-virus, for which we have a site license. One of my non-CS friends (yes, /. geeks can have non-CS friends) did just that and, since she (yes, a female, at that) had little computing experience, deleted every infected file. I'm only a UNIX admin with very little Windoze experience, so I'm not sure if deleting the infected files had something to with it, but XP Home refused to go past the login screen. She has been going through something of a family crisis, so I was up until about 1 in the morning getting her machine back into working order without losing any data. I succeeded, but it was still pretty stressful. She didn't really care about having a clean computer; she just wanted a working computer.

    In short, just telling students to download and run a program they don't understand to clean up their computers isn't going to work. At best, no one's going to do it, and at worst, it's going to f*ck people's computers up, creating more of a support mess.

  • by Animats (122034) on Saturday August 30, 2003 @02:57PM (#6834203) Homepage
    I'd suggest putting a stateful firewall in which examines the traffic from each MAC address, validates the IP address, and only allows HTTP transactions by default. Provide webmail for students, so they don't have to run a mail client. Put them all on encrypting cable modems, so local machines aren't on the same LAN. All they can talk to is the headend firewall.

    In that configuration, they can surf the Internet freely, and can download anything they want, but can't mess up anyone else.

    That's the default configuration. Students who want more have to go through the exercise of securing their machines, after which both the student and the machine get tested. Then they get more access.

  • by _outcat_ (111636) on Saturday August 30, 2003 @04:23PM (#6834681) Homepage Journal
    I'm a student PC/Net tech at a small college (1500 students, 400 staff/admin/faculty). We use an AD domain to corral our users, so to speak.

    We did some testing with the Blaster patch before we encouraged our users to download it; I always check Bugtraq, personally, before I put anything on a machine I'm responsible for. Once we decided it wasn't breaking anything (at least it didn't break anything for us) we burned it to a whole bunch of CDs (with the Symantec removal tool, the Win2k patch, the WinXP patch, and the WinNT fix). Each RA/helpkid/tech also got a corporate edition of NortonAV on a disk (we have a site license) with instructions for students on how to update their virus definitions.

    Each RA got this disk. Each help desk kid (there are about 15 student help desk kids) got one, and the other five PC/net techs (other than me) got one. We marched around campus for about a week wearing very visible "TECHNOLOGY SOLUTIONS CENTER" T-shirts and essentially infiltrated dorm life with our antivirus software.

    Were there huge network slowdowns? Oh yeah. For the first day and a half when students came back there was little, if any, network connectivity. But the RAs were adamant about having the kids run the patches and install NAV. Did we use guerilla tactics, like disabling network ports or confiscating network cable? No, not at all. We just made help extremely visible, and with a horde of student tech workers getting $5/hr, it was not so bad for cheap labor for the college, either.

    You might bitch and moan and say that a college kid with a virus will never go talk to his RA, but we had mandatory floor meetings for every floor for every hall across campus, and when you've got 20 kids and one RA, it's pretty easy to reach the end users. Users only understand that "my computer doesnt work", and you can bet that a college kid at a small, tech-oriented campus will go see his RA if he knows his RA can help him. (If the kids think the RAs are totally bogus, then there's problems with administration that have nothing to do with computing and is for another thread entirely.)

    Do these tactics make Mac/Linux users feel discriminated against? I saw some whining in the comments about this, but guess what: Even if an RA is minimally intelligent in the realm of computing, he can PROBABLY tell a Mac from a PC. Mac users get left alone (like me.)

    Full network connectivity returned at about 9 in the morning on the day after move-in. (you'd be surprised how fast 30 RAs and 21 tech kids can move.)

    You might also bitch and moan and say that students shouldn't have L2 domain admins. Okay, I can understand that. One kid got forcibly removed from our staff last year for leeching software off a drive he had permissions to, so no, it's not a completely perfect solution, and a lot of trust is involved. But it worked okay for us and minimized a lot of headaches.

  • by RedSynapse (90206) on Sunday August 31, 2003 @01:38AM (#6836663)
    I work for tech support for a large (30,000+ students) university. This fall we're expecting as many of 30 percent of the machines coming to residence to be infected with a worm.

    To defend against this we're going scan all machines over the network during the registration process and if the machine is vulnerable the browser will get redirected to a webpage with the relevant patches which the client must apply or they won't be able to connect to anything but our internal authentication vlan.

    One of the reasons our networks get hammered during any worm incident is that there are so many machines connected to the network that just aren't patched ever.. Eventually we just have to manually shut down the ports infected machines are connected to and wait till clients call to complain to explain why they've been disconnected.

Entropy requires no maintenance. -- Markoff Chaney

Working...