Slashdot Mirror
Handling User Grown Machines on a Large Network?
matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"
Windows? I am seriously considering moving my smaller clients to Mac of Linux pretty soon, I'm drawing up the proposals today.
Force them to login to an Active Directory domain and hand out updates...
You talk better than you fool!
You can only separate networks so much.
If you make them bear some financial responsibility for not checking their machines first this might help.
just ban users from your network.
Only admit students intelligent enough run a virus scanner if they are on a Micro$oft platform.
------ Take away the right to say fuck and you take away the right to say fuck the government.
At my university, at least for the public machines, when you logon to the domain, a script executes that automatically patches your machine and runs fixblast and fixwelch. you might want to investigate into something like that
If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.
Do some intrusion detection on the network--possibly through Snort. If any machine is spamming out MSBlast messages or Sobig emails, drop their connection via MAC address and refuse to give them another DHCP lease. Then, when the person comes in to complain, let them know their computer was infected and flooding the network, and give them a floppy with the proper security patch on it.
It might be a bit annoying to automate the process (except for handing out floppies) at first, but it seems like it could significantly help, while at the same time educating users to update their patches.
No comment.
At the switch level.
...tell students at registration that Windows machines are not allowed on the network, and that they must install Linux. This will not only clean up your network problems, but it will also give the students a sense of doing the right thing for their computers. Along with their free condoms, give 'em free Linux CDs.
Here at my school, for the last week, starting about a day before freshman move in, they have had flyers *everyewhere* telling people not to hook up the network until they install this patch provided by the IT dept. Of course, there are still the bozo's that don't pay heed to the warnings....but there are lots of them in the world anyways.
Ensure that home machines (ones that you haven't configured) get IPs in a VLAN group which you've bandwidth throttled on the routers/switches along the say so the rest of the VLANs don't get choked by home-grown disasters.
Machines you have control over can get IPs in another VLAN which isn't throttled, or at least not as much as your "uncontrollable" VLAN. At the router where the VLANs can meet have strong ACLs and traffic flow control.
Just because you give them access with their own machines doesn't mean you have to give them unrestrained access.
Trolling is a art,
assuming your network is switched, and your switch are "manageables" (ie you can log in them remotely)
you could have an IDS (or similar) with a rule looking for specific attacks (ie blaster). when you detect such an attack, fire off a script that shuts down the user's port on the switch. they'll bitch and moan that they can't access the net but you'll know who they are now and charge them a cleanup fee (make sure to include it in the terms of use)
another solution is to require anyone bringing a computer from home to have it inspected by your techs, block access based on mac address and only give them access once they passed the test. it does require more ressources tho, and ideally you'd still need the first option (in case where someone reinstall windows)
I really hope you're kidding. I hear this way too often, and it pisses me off. I know this is slashdot with a bunch of linux geeks, but I hope you all don't seriously think this will really happen any time soon.
Yeah, I like linux as much as the next geek, but in it's current state, there's no way the P2P'ing and IM'ing "normal" people are going to switch.
My sig can beat up your sig.
Time to diversify so that the target infestation isn't as large. But you can't tell people what OS to run, so as for protecting the network, not allowing email attachments is pretty harsh to some people, but I think it's what will need to be done in the long run.
Email should be used for communication, not for transfering files.
CB
free ipod and free gmail!
I think this was one of the approaches Stanford was going to take. No DNS for your machine until you get it checked out by their IT department.
Chris
I live in a college, about 30 people on my floor. All we could really do is go around and knock on everyone's door, see if they were running an affected system, and patch the hole and remove the virus if it was there. We couldn't really find any other way.
Another college did a bit more and made people more aware of it, and then went around to everyone's computer, but that wasn't hugely more succesful. And seeing it infected all labs etc in the uni, and IT support are fairly incompetent (enough not to think to block that port at the routers), our entire network slowed to a crawl.
LART
It sounds to me like you should be stopping the problem closer to the source - at the switch.
Option B is (assuming of course you guys use DHCP) is to flag network cards and don't give them IP addresses.
It doesn't sound like an answer, but in the college enviornment all you can realistically do is damage control.
I work as a tech for a major midwestern university. Aside from offering a website with complete instructions, we published packets bundled with CDs that guide the students visually through the process of fixing Blaster and Welchia and installing Norton AntiVirus. With so many pictures in the guide we have yet to have anyone mess it up.
Just spam your network with the msblaster cleaner worm untill everyone is clean.
yes, currently leading the way with 61% of web defacements happening to linux web servers....kickass OS you got there pal.
... from another point of view.
I'm a student at a university whose dorm network got nailed by blaster something fierce. Almost as bad as it was Klezed a couple years before. Anyways, because of all of this, the sys admins decided to completely eliminate the dorm network from the upper campus one - also cutting off 'net access - during school hours. This is a real big pain in the butt, and I'm actually hoping there are some great answers in this topic so I can give them to my sys admin.
Of course, compounding the situation are seemingly (dunno if they actually are or not considering I've never even SEEN one before) incompetant dorm techs taking an entire day to clear out just one dorm building of ~50 rooms (2 people per room, but often less than 2 PCs per room...). Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.
I'm just annoyed because my room (along with my entire hall since I'm the resident 'hey, call him!' computer geek and have patched everyone) is completely free of blaster and its ilk, yet I have to deal with the people who either don't know to patch Windows often, or don't care.
How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?
--- Ãther SPOON!
I don't use Windows. I haven't even noticed.
Right, because there are no P2P or I.M clients for Linux?
At my school they've got monitoring software setup. If you're infected, you're dropped off the network. At the switch, no questions asked. If and when the student contacts the help desk as to why thier computer doesn't work on the network they're informed they're infected and told to bring thier machine down to have the patches applied.
Don't let them online. They're only going to download porn and trade mp3's and get you sued anyways.
Are you a VF grad? Check out the VFMA Alumni Forums VFMA Alumni Forum
Oh yes I do - TESTIFY! What's more, how can you even begin to troubleshoot an issue when you can't read Korean or Japanese (I work for an international school)?
There are no easy answers. Fortunately, I work in a small school, so I take the time to try and do updates on each machine when they come in. We run adaware on each, and then install the network version of Sophos so they are protected from viruses.
From that point, we have to hope that the firewall filters do their job in keeping out the junk, but it's certainly not perfect. We've often toyed with the idea of mandating our own dorm terminals, and know schools that do, but we're not ready for this kind of expense yet. Of course, in my environment, I have a bit more flexibility than you might in yours.
We do offer leased computers though, and this year we had more takers than ever - even though the price was as high as a fully equipped desktop system! Some parents just don't want to have to deal with the updating, anti-virus, and other issues. The obvious advantage to this is that we can start these systems out fresh and updated every year. It's tempting to lower that price a bit just to get more takers and therefore, less issues.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
Right. Let's see how many people are patching against those vulnerabilities. That "Linux is invulnerable" attitude is preventing many from even thinking about security holes in Linux. I see a major wake-up call coming...
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
"Along with their free condoms, give 'em free Linux CDs."
"Here. You'll never use this first item if you choose to use the second item. Have fun, and welcome to college."
You are sooooo fired.
- Block POP3 and SMTP access.
- Block trojan ports.
- Provide webmail access. (Even allow them to connect to their own email accounts elsewhere)
Outlook and Outlook Express are the two largest vectors for virii."God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Just get copies of all the malignent viruses/worms and make versions of them that patch the machines. :)
FRA: STFU GTFO
You ought to be able to tweak your DHCP so you can block machines that are broadcasting this badly by telling them their default gateway is localhost.
is to do your network segments with Cisco switches. Catalysts and such run IOS just like Cisco's routers- so you can administratively (is that even a word?) take down any port/interface. perfect for that kind of situation, and if the network is so clogged you can jack in on the console with a laptop.
good luck.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Never forget to water them and make sure they get plenty of sunlight.
You could set up the dhcp to only give out IP's to specific MAC addresses leaving everyone out in the cold. Then only add computers to the list as they are verified clean. Use an off kilter subnet like 10.25.6.* to keep people from guessing it. Also only allow internet access to verified clean machines. Basicly make them as non funtional as possible until you give them the go ahead. Post notices on the dorm doors. Maybe sniff out "unauthorized" IP's and then track them down. Maybe bring a line backer to strangle the little geek into submission. =)
I know this sounds like a hassle but it's the only thing that could force people ot come to you.
Kyle
BASE Conflict for Quake 3
Assuming you can identify the port from which the infected traffic is coming, post a list of all infected rooms on the front door of the dorms, with an explanation that "these computers are causing your network to suck."
The problem will be fixed.
Moderate drunk! It's more fun that way!
How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?
Write your own exploit of the vulnerabilities that patches them, and force feed it to any computer spamming you with virus-born packets ;)
No comment.
A lot of times, the easiest way to transfer files is to email them to yourself. Just attach your documents and pick them up when you reach your destination. Beats a floppy.
And that's in fact the best solutions. Students usually use the computers for playing, trading mp3s or collection pr0n. There are some courses where you need a computer - CS etc. But usually the departments have sufficient computer pools for their students. So student don't really need computers at the dorms. In fact, they usually keep them from learning. So a computer ban would increase their grades and their learning curve. And the value of computers for non-CS/programming related education has been proven to be nil.
Some ad hoc polls at my university have shown that students with less computer usage usually have the best marks. Interestingly this also applied to CS students, so the computers at home doesn't seem to improve their understanding of computer science at all. A collegue of mine went even so far to reject all hacker-type students (more than 50 hours of computer usage per week) from entering graduate courses, but I think he goes too far with this approach.
However, some deparments (Maths/Liberal Arts/Chemistry) are lobbying hard to get a dorm-wide computer ban.
Owner of a Mensa membership card.
How about finding some other colleges with REAL plans for these situations so good that they are practically untouched by these worms..there are plenty out there....then bring a list of them to your admin and say..."Hey fuckstick, why are you so incompetent?"
Seeing as in this situation you wont be able to convince your students to switch:
1) Require all machines to register their mac address via nice gui or website. This way when you use all the rest of the stuff mentioned here (snort, etc) you can easily track the student down.
2) Run snort, router, acls, etc in a way to automatically blocks infected users. Or at the very least it should at least alert you of them. But blocking is best so that they dont spread the infection further on your network or to the internet via your fat pipe.
3) Buy a site license of the managed versions of Norton Antivirus for the dorms and hand one to every student as they walk in the door. Once they've installed it you can force the updates on to them.
... when you go to a university where you do not log on to a domain in dorms.
I've found that to be very common (including the Uni that I'm typing this at) since it is MUCH easier to set freshman up on movein day.
Also, certain things do not work when you start logging onto domains. Example: XP's fast user switching. You'd have students complaining about the administration restricting their rights to their own computer, blah blah blah... then on top of it, automatically patching something. Legal nightmare. Works great for lab PCs, horrid for dorm PCs.
--- Ãther SPOON!
I hadn't thought of this implication. Unfortunately, it's not feasible to force the users to do anything in this kind of situation - that would be an administrator's nightmare.
I'm assuming you have each computer connected to a central switch, right? What I would do is block all communication between the PCs on the network. Allow each one to get out to the internet through the firewall, but block them from connecting to each other. That would give them the ability to browse the web, check email, instant message, etc., without needing to worry about them setting up servers, file sharing, and trading viruses, etc., between each other. It's heavy handed, but at least you're still providing the service you're supposed to (internet connectivity).
Just a thought. I'm not completely sure this is even feasible with a switch, but I would think so.
"I have never let my schooling interfere with my education." - Mark Twain
Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.
unfortunately not -- updating random systems is harder that it seems. When we got hit at our university i helped out cleaning a bunch of systems and I couldn't believe how long it took -- Win2k installs had to have Service Pack 4 installed before you could apply the security patch for the worm, other dependancies changed because of that, had to install and update the university verson of norton antivirus, which refused to install on many systems unless I started them in safe mode, etc. All in all, the half-dozen systems i cleaned up took several hours because of all the rebooting and screwing around that was necessary before the patch could even be applied.
The XP and 98 systems were a piece of cake, though.
Recursive: Adj. See Recursive.
We have an incident response team that locates each individual infected host, then identifies the primary user of that machine. If they're unavailable, we install the patch and leave a message that they should come by our offices as soon as possible.
Once the patch has been applied, we sit down with the user and assure them that they're not in trouble; everyone makes a mistake from time to time, and we have simple and effective means of dealing with the problem. Once they're calmed down and convinced that we're not upset with them, we wish them a good day and send them on their way.
When they turn their backs, we shoot them in the back of the head and put their bodies on display in the courtyard as an example to the rest of the imbiciles that might practice unsafe computing.
-- Minds are like parachutes... they work best when open.
Do you really like Linux as much as the next geek? I have the feeling that to write a comment like that you've never used it before. Never mind that the P2P clients on Linux are spyware-free, and the IM clients usually support multiple protocols? (AIM, MSN, Yahoo, Jabber, ICQ etc.)
To anyone who doesn't know - yes, Linux has these things.
That it would help solve the problem, educate students a bit - probably leaving them far closer to computer literacy than anything else they'll do in college ... Thats all irrelevant. You are proposing something that is clearly unamerican, anti-capitalist, communistic, anarchistic, anti-christian, and so on.
I'd love to see it done.
... not only is it the only way that I can send small files to myself from my Uni's own computer labs, but that doesn't stop out-of-uni-mail mailclients, or even MSBlaster considering it isn't a mass mailing worm.
--- Ãther SPOON!
Simplistic responses to complex questions are stupid. Steve Jobs would have said Mac, instead of Linux and we all know that Mac addicts are a stupid, religious bunch of idiots, so don't make Linux addicts out to be like them as well.
Wait until a Linux distro gains significant market share... then we'll see how well it fairs against worms and viruses... sendmail anyone???
Is that one person taking 8 hours to clean 50 machines? That sounds like a fine number, under 10 minutes per computer, which is what it would take to go to next place, start computer, explain to user what is going on, answer random questions for user, fix problem, move on. You think they are incompetent b/c it takes them less than ten minutes per? What exactly is wrong with that?
First they came for the menial jobs. I never spoke out because I didn't have a menial job.
Somebody has obviously made a serious mistake then. Can I suggest you apply at the sign of the Golden Arches to find something more commensurate with your intellectual abilities?
At my school (university of maryland, college park) we have to register the computer we're using on the port we're using.
Before you're doing that you have to download the patches and run a cleaning utility. So our network is pretty much 100% clean.
Do what I did... start your own tech support team. I figured out the most capable people, and they quickly became my assistants. They were good at fixing basic problems, and if it was something they couldn't handle, they brought it to me. Handle payment you best see fit, money or favors later.
it has already been said but I have to agree. install a box to just sit and record incomming packets (pref. a linux box). look at the logs, any computer showing signs of a virus should be taken off the network. you can tell by mac address which should (if you keep good records) lead to a specific port on a switch leading to their room. it seems harsh but my school is doing this and if works.
I'd say this: basically, anyone who wishes to connect their machine to the network has to go sign a policy and at the same time be told to prove which AV software they are using. If they don't have one then I'd be looking at the licence for the establishments current AV software as ours (NAV) allows us to provide copies of it to students so they can use it 'whilst they are studying at our establishment' and should be removed once they leave. I guess you could even go so far as only allocating IP addresses to authorised users, so if someone connects without agreement then they don't get an IP and can't use the LAN..... nry
When the blaster worm hit, we had to work for a few days to clear the thing from the staff network.
Now that we well and truly cleared it after much scanning to make sure, we've moved on to the on-campus student's network.
We have to physically go to each room, patch and scan to remove both blaster and welchier.
It's both an annoyance for us and the students who pretty much treat us like unwanted guests on their pcs.
Be you Admins? nay, we are but lusers!
Let's face it. I'm a student. I'm lazy, and I don't read everything listing stuff I should do. So, to deal with that, AcIS (Academic Information Systems) at Columbia University doles out some hard but good justice.
If your computer is detected with a worm, clogging up the network, the router is configured to remove your machine from the network. A CD-R with the latest patches finds it's way to the student's mailbox, along with a (gasp) phone message saying what's up. When the student can show somewhat that they're clean to the hall's student tech, they're let back on. It's probably not cheap to do, but it's effective and the easiest way to motivate people.
Recursive (adj.): see 'Recursive'
Where I go to school (I also work for IT here) we basically combine all the techniques everyone here described: a login script that scans for the patch and prompts the user to patch if the machine isn't patched, have the login script run an anti-virus tool, postering the ENTIRE college, recruiting residential life and handing out patch CDs to every RA on campus, and banning MAC addresses AND closing off ports via hourly scans of the network. So far it's been doing really well. The only problem we have now, actually, is the 5000 or so SPAM (and mostly infected) messages that comes in every hour, slowing our e-mail servers to a crawl.
read the bunni comic
I've been living the same problem in my University, and it isn't as big as US colleges with students living in dorms and bringing most of them their computers. While many of the other replys might work like just block ports and wait for ppl to complain, I know that for a big number of machines that would be a real pain to search for every single infected machine, so I don't find it a solution. Also seting up a domain is hard if u don't know all the computers that come into it. So our solution to the problem has been to just segmet our network as much as possible, and block all trafic for each vlan, each of our vlans grow as much as 255 hosts, so an infected machine won't hurt much.
7 people. On top of that, not all of the machines are infected and/or unpatched.
--- Ãther SPOON!
The problem with prohibiting email attachments is that this essentially pushes students in the direction of running servers on their personal computers in order to transfer files. This would be a much larger security hole.
If they're running Windows, they're likely to use the servers that come with the OS (http or ftp), which have much worse greater potential security holes than the email reader.
My old ISP put their "setup" on a CD for ease of installation. just simple scripts that created detected the modem, configured DNS, and (here's the relevant part) set the IE homepage to www.isp.com.
Bulk out a CD with the nessicary information and distribute them to the dorms. As part of the setup, point IE or netscape to someplace like http://housecall.trendmicro.com, or set up your own remote AV scanner. Make a completed scan part of the setup. If a machine doesn't do a complete scan, it doesn't get network access.
There are some people that if they don't know, you can't tell 'em.
They are cutting off DHCP access to infected machines. In my department I have to go to these machines and give them a temp IP, patch them, and wait for the computing department to reenable them. I'm not sure how they tell if its infected or not, but this seems to be a workable solution. With student's PC's however, passing around CDs with the patch seems a much better solution.
Tell them they will be disconnected if they let themselves be infected. Unplug them from the switch if they are.
Provide everything needed to repair and secure computers on CD, so people can upgrade before they plug in and repair without being connected. Include detailed instructions.
When someone might yell at me, it has to be OpenBSD.
Two ways of accomplishing this which I like. First Having students register their computers (yes it sets a burden on the IT dept) and running a small application that transfers the Mac address of the system to a central database.
Yes, so maybe it's a bit paranoid, but statically assigning DHCP based upon mac address is an easy enough way to keep *most* non-technical (virus laden) people off the (IP) network.
It also allows for a degree of control (umm... no your toaster oven can't be on the network.) Etc.
The second way, is to allow all, sniff out the nasty MACS(ala-snort) and statically set their DHCP to something nonsensical.
This is under the assumption that MOST people who are virus laden are not that tech savvy to begin with (No-AV, no Firewalls etc etc.) You can automate the process with some perl scripting but, this will get you some nasty phone calls.
You won't be voting for Bush then?
how have sysadmins out there delt with this?
Yay for hukd on phonix.
I would make part of the requirement of bringing in a computer be that they have to take it into a local computer shop and have their computer thoroughly inspected for viruses/malware/spyware etc... and require them to have that company sign-off on the computer. This will allow a strict anti-virus and anti-spy policy to be enforced at a level where you don't have to waste all of your time explaining what to do at someone who has little respect for you. Also, you should know that a lot of spyware etc out there will slow your network too... not just viruses.
Erutangis ym si siht.
First, require PPPoE. I know it sounds terrible, but in the long run it will save you problems (because you'll be able to trace network issues not only back to a port, not only to a MAC address, but back to a student record). That should solve the "they've already put an infected device on the network" problem.
For the "something else," you have to get creative. I know I'm probably overlooking some well-devised currently existing system, but if you created a system whereby the PPPoE client would not function with that particular computer until you (or one of your student flunkies) manually entered an OK password or token, you would be able to stop the devices from getting on the network.
The reason why I mention the above is if it requires a visit from someone to connect it to the network, you have the opportunity to verify the patch is installed. There should be a get-around mechanism as well, though, to allow certain clients (by MAC address connected to that one particular port only) to be excluded from this requirement (for all the non-MS computers, like Macs and Linux, and the occasional person running BSD who probably shouldn't be allowed on the network anyway because you know that motherfucker's just going to learn everything he possibly can about the place). If the issue ever arose that someone running something other than Windows switched to Windows on that PC and caused blaster havoc (which shouldn't be the case, since nearly every client should already be patched and you're doing filtering at the router), it would be easy to track them down.
I imagine you likely have an install faire every year or semester for all the new and incoming students, so you can sell them network cards and install them for them if they've never been on a network, and to briefly orient them to network policies like no-Kazaa, no haxoring, etc. This would be the perfect opportunity 1) to patch 90% of the incoming Windows computers and 2) to configure the client on the stations so when they take it to their room they can just sign on (likely with their campus email account and password).
Not allowing .vbs, .pif, .scr, .js, .bat, .cmd, and .exe attachments through the firewall is a start.
For years, the last thing the admins at my university wanted to do was inspect each computer before it was permitted to be on the network. This year they have broken down and are doing so, to be connected (wired or wirelessly) one of their employees must inspect the computer and make sure that they are not only completely patched, but also that they are running antiviral software (Norton ONLY).
This is of course great in theory, until a week later when someone formats, 'forgets' to patch, brings their computer home, gets re-infected and comes back to school.
Until patches become mandatory for many of these users, there is no way to prevent such a thing... short of finding the virus writers and skinning them alive during prime time, that might make some of these script kiddies think twice before doing what they do.
Help Brendan pay off his student loans
My college requires Tech Services staff to register all computers manually, and before they do that they scan for viruses. If you've got a laptop you take it to them and they deal with it. Desktops are a little harder, as they have to come to you, but it happens. The end result is a slower setup time, but a more secure network.
The government figured this out a long time ago. Take the power out of the people's hands.
1) Define internet access as a privilege, (rather than a right).
2) Require signature from students that they will perform required software maintenance.
3) Have DHCP only give leases to pre-registered MAC addresses.
4) When problem arises, pull student's access. First chance to prove it has been fixed is in a month. The first one or two will whine and complain. Everyone else will fix their machines. :)
(Flames from undergrads > /dev/null)
TeidouThey do this at my University and it's a very good system. On the first day of school you plug in your computer to the network. DHCP gives you an internal ip address, and all your http requests go strait to a registration web server, you cannot get off your immediate network segment without registering. The registration processs ties your student ID to your mac address and also runs microsoft's own tool Hfnetchk.exe agaisnt your pc. If your missing hotfixes (aka notfixes) you cant register. I'm not sure how (go linux), but im guessing they provide you with the hotfixes since you cant leave the network. This should help alot in the first weeks mad rush for computer access.
Dear Student:
....
We look forward to your return to campus in a few weeks.
As you know, serious computer viruses and "worms" were released into the Internet in August. Because Northwestern is a community that depends upon computers for instruction, administration and research, YOU MUST TAKE ACTION TO "CLEAN" AND "PROTECT" YOUR COMPUTER BEFORE BRINGING IT TO CAMPUS. Any computer found to be infected - or found to be vulnerable to infection - will be excluded from the campus network until it has been cleaned and protected. Depending upon the volume of computers excluded from the network, it may take two or more WEEKS until technical staff can assist you to clean and protect your system.
And then shut the ports on the access switches.
Arbor Networks has a great anomaly-detection system which can be used with NetFlow in order to identify machines on your network behaving oddly, then shut their ports or use VACLs to block the relevant MAC addresses across your network until they call the help-desk and go through the scrubbing/remediation process.
And charge them for thus - nothing's sure to get their attention (and that of their parents) like a $250/incident 'virus remediation charge' which must be paid, like any other student fees, if they expect to get their grades.
If someone wrote a variant of the worm that infected via the same method, killed the other worm if it were there, patched the system, tried 1 round of infecting other machines and then deleted itself.
I don't advocate such a thing, since it would also be wrong and illegal; but it would be interesting.
Come on man, 480 minutes spent on 50 machines is 9.6 minutes per machine.
Taking into account that this includes walking around and hunting down stray room inhabitants, booting machines that are off and explaining what's going on to the ignorant, this actually seems quite fast to me.
How do you give out IP addresses? Whatever the method don't do so until the machine has been quarantined and certified free of viruses. That means they have to take their machines to some office where they plug in and boot up and are checked for viruses, inoculated if needed then certified virus free. The certification would need to be carefully thought out. But it's doable.
http://tinyurl.com/3t236
Put them all in one Domain, turn on Active Directory, purchase eOrchestrator from Network Associates and it will install virusscan on all of them and update them according to the policy. You can also force clients to install the windows update patches this way. We do this where I work and it keeps 95% of the machines updated with all microsoft patches and new virus dats with little to no work. Sure..our pocketbook is a whole lot lighter but so is our workload.
have most of the solutions to this problem suggested so far been punitive. "Fine em, Ban em," etc. This attitude pervades the tech industry. In case you forgot, the fact that someone maintians a network doesn't give them ownership of it, especially at a university. If I am a university student, then it's much closer to being MY network than the admin's. How about some more creative ideas from some GOOD admins.
I think it's the fact that Linux sucks shit.
I doubt this was what the original poster meant though.
50 computers over 8 hours = 9.6 minutes per computer, average. This time includes knocking on doors, explanations, going back to get rooms which were closed for some reason, booting up computers and rebooting them, loading the patches on to the machine and installing them, and all the regular crap that goes with handling 50 different computers with 50 different setups. Honestly I would say that 10 minutes per computer is simply amazing. These guys must be supermen to get a whole dorm patched in a day, unless they come in with an army of a dozen techs.
What can a student do? Preach alternative systems. Wean people off of Microsoft Windows entirely. I run 2 labs of a dozen Macintosh machines running Mac OS X and I haven't had to lift a finger to do much of anything for more than a year. The machines run perfectly and just laughed at all of the viruses, worms, trojan horses, and other problems that Windows computers have had to deal with. The same, I'm sure, is true of BSD and Linux based operating systems.
Take a look at the history of the Irish potato famine. The main cause of this horrible piece of history was a simple fungus. It spread so suddenly and completely because to grow potatoes quickly you can simply cut up one potato and plant the pieces. Each new plant is a genetic clone of the original potato. Thus when a disease hits one plant it quickly spreads and hits them all, turning a simple disease into an epidemic. The same is true of computers. A monoculture of Windows machines are much more vulnerable to the spread of computer infections than a mix of operating systems. Having one operating system dominate over 90% of the market is simply not healthy.
Sapere aude!
In our residence halls, we have about 7500 people. What we have done is make a series of VLANs, centrally administered by VMPS. We have the regular VLAN for a building's users, a quarantine VLAN, and a blackhole VLAN. As we detect users that are infected, we move them to the quarantine VLAN where we have colocated a quarantine webserver via an 802.1q trunk. This server provides them with all the patches, av software and latest DATs. Once installed, the resident "signs" with their campus ID to verify that they have installed the various fixes, and they are moved back. If someone languishes in the quarantine VLAN for too long, we move them to the blackhole VLAN (which is essentially a defined VLAN that isn't trunked anywhere so VMPS can still legally place them there).
This segmentation has helped dramatically. At one point, we were blocking nearly 800,000 icmp echo requests outbound/sec across all interfaces. Now? around 1k/sec. And that's over the last week.
Now if I could just get past the residents who:
1. Don't fix themselves because it was too much to read.
2. Don't know how to use a web browser
3. Don't know what a scroll bar is (!!!)
4. Don't contact us for help, but instead go to the President and Provost's offices.
Hang in there, segmentation helps dramatically.
In the defense of the "incompetent dorm techs" they probably had to deal with:
- students who weren't in their rooms
- students who figured someone else touching *their* machine was an invasion or their privacy (especially the 50 gig of mp3's)
- students who were in their rooms and didn't want to be disturbed
- the 133t hAx0rZ who thought it was uB3R k3W1 to archive their old (infected) systems and reset the machine as soon as the techs had left.
Having been the "oh call her" person for a(n administrative) department at a university I know what students can get up to.
If they re-install windows later, and are re-infected, repeat 1-3. This is what we do at work (admittedly, a major corporation who may have a lot more money for network equipment and personnel), and it works quite well.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
Set up a dhcp/iptables/ LINUX firewall . I run a script that monitors the net for a rush of packets (ICMP/port 135/smurf attack) it works great! heres the algorithm in pseudocode - any net admin should be able to put it together. You basically monitor 1000 packets and count the number packets per host and find the packet count per time then dump if they are pushing 90% or more packets while (true) do t0 = timeinseconds packetlist = tcpdump -n -i -c1000 t1 = timeinseconds iplist = grep list|print ipfield| uniq -c totalscanseconds = t1-t0 totalpackets = count(packetlist) if totalpackets greater than 99% iptables -t -nat -A PREROUTING -s offendingip -d 0/0 --dport 80 -j DNAT --todestination and viola! all users flooding the net are automatically forwarded to a you are quarantine website no matter what. All packets are dumped before they go any further. I can handle easily 500 - 700 connections with a dual AMD 1800 cpu / 500meg ram dual nics setup as a dhcp server
Not for 7 people.
That is, what, ~68 minutes per machine? On top of it, not all of the machines are even infected to begin with...
--- Ãther SPOON!
Naturally, if you're the BOFH type of network admin you can skip the first part
Whatever man, people have some really crappy PC's and they almost *all* have tons of spyware up the wazoo. You try to just do something simple like patch and scan for a virus, but things can easily turn into a nightmare. It often does.
7 techs checking ~100 PC's and cleaning 50 in 8 hours (including lunch) doesn't sound unresonable to me.
How many times have you sat at someone's PC when they are standing there - they try to get you to fix every little problem that have had. You can say no, but every time you do it's at least another minute or so off the clock.
- It's not the Macs I hate. It's Digg users. -
Well, there's an easy solution to this problem. Use manageable switches/hubs in the dorms, and set up honeypots here and there.
If a machine hits a honeypot, and it can be as simple as a box running snort- your script logs into the switch/hub, and shuts off that port. Email the user registered to that port, because one of the first things they'll probably do is try to check their email from somewhere else, like a lab.
If you want to get really fancy, the script INSTEAD switches them to a different VLAN which is heavily firewalled and doesn't let them do squat- every page turns up a "your system is infected, please go here(link) to download patches/antivirus software"(and of course those are the only places the firewall lets them go). They get a button that shows up a half hour later that lets them re-try connecting their system to the main network, so late-night infections don't keep them from finishing a paper or something.
Please help metamoderate.
the EXACT same thing happened here at our school, as an added problem our dorm access control system (on the doors) were on the same network and therefore flooded with the arp requests from Nachi/Welchia worms (tens of thousands of arp broadcasts per second). Practically everyone at school uses our school portal my.snu.edu, there is a demo if anyone is interested, so we made the login page redirect to a php script on a linux box with would detect both the vulnerability and the infection. The infection can be detected by looking for a responsive tftp port, here is the script http://web.snu.edu/~jbrindle/scan.phps the sourcecode for the rpc-dcom checker is at http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2003-08/0038.html
Hope this helps!
Please explain to me how you plan to hide your IP address. Are you suggesting security through obscurity; the prefered MS method?
Basically what we've done is burn a shitload of CD's with the Blaster patch on them, given them out to people with the worm and then encouraged them to distribute the CD's to their friends. We've also given those CD's to our local residential hall tech support people (the ones who actually go to the person's room and fix whatever problem; they are assigned by dorm).
:)
Recently, we've begun deactivated the ports of people who we've been able to trace the worm back to, having them call us, pick up the CD, install the patch and then having an RCC verify that the patch is installed before reactivating their ports. We've also closed off the ports that the worm is known to propagate through. We've still taken damage as a result of it, but I think we've managed to minimize it somewhat. In the meantime, I've been trying to convince the Mac users I support that they're not at risk. If you say, "impossible" enough times in a row, they start believing you.
The guy I share a bathroom with at NAU got the blaster worm before coming here, then called on me, the resident geek to fix it. It took roughly five hours to talk him through using a virus scanner, and then talking him through the fix. I finally gave up and refered him to the IT people.
/.'rs get on the "install Linux on everyones box" rant, I'm going to highlight the main problem, the end users ignorance about computers. The average college student thinks of his/her computer as an applience. And thinks that Windows update as that pesky taskbar icon that keeps on screaming at them.
I know for Lovsan our school links you, before network registration, to a page with the fix. Then if you get infected they kill your access. Then send up a tech. Sad thing is the average user can't even figure out how to get to the patch even with a page linking to it.
Now before all the
Also in a small office network administrating 20-100 people is an easy task, or EASIER, than handeling 5,000 students with no computer skills. In an office network you can set up the computers to use whatever software you want, like not allowing Outlook on work machines, or whatnot, but in a college network you have 5,000+ different configurations.
As for solutions, I have no clue, though. I guess the only way is to just blcok access of the infected, which kinda sucks since it HAS to be after the fact. Perhaps you could force people joining the netword to take a small online class, download your supported virus-scanner, and whatever fixes exist before registering their machine. Then as new threats come out, make new required online lessons needed to keep network access.
A patriot must always be ready to defend his country against his government. -edward abbey
Using traffic shaping you can limit the impact of the flooding. I'm not sure whether all routers can do that but I think with a linux router you can share all available bandwidth equally among all hosts......
1) Dorm techs have keys. :P
2) It is, but they do it anyways. Part of my dorm contract if I remember correctly.
3) I can actually understand that, but that doesn't defend why 7 techs took 8 hours to clean a hall of computers...
4) Athlete dorm. Yeah, it is a gross generalization, but chances are that they wouldn't be the ones doing that. Even if they did, then they are stupid. Not much you can do about that.
--- Ãther SPOON!
You can make sure people install the patches, but what if someone re-installs windows
This is one of the problems I have with MS's patching policy. The last reinstall of Windows XP that I did took 3 1/2 hours on a cable modem to download and install all of the patches from MS's site! On a cable modem! How many people who only have dial-up are actually going to sit through this?
Significant market share?
According to IDC (idc.com), a leading IT research consultancy, Linux market share within the Web server sector stands at approximately a third and will grow to 41 per cent by 2005.
One third of all web servers run Linux. That sounds like significant market share to me.
First, I've adminned only small networks (10-20 machines) but I think the following should work. It seems to work for my DSL provider:
Set your route permit only PPPoE connections to and from workstations. Then, hand out CDR's containing your favourite DSL implementation. Fix it so the other end of the PPPoE connection empties out into some safe IP space which is not contiguous with that of the rest of your gear's. Finally, make sure that the connections are well-throttled. If you can, write some scripts to automagically decrease a user's bandwidth if excessive activity occurs on port_related_to_latest_ms_hole.
PPPoE is just one option though; any technology which allows you to tunnel all the user's networking should suffice. (IP/SEC VPN, say. )
Remember, it's your students' problem, not yours. Warn them, but furnish them with enough rope to hang themselves by, whilst avoiding the tangle yourself.
- undoware.ca
We're taking a 2 pronged approach. IDS (snort) as well as actively scanning and reporting port 707/tcp open.
.edu these would include dorms, .biz, conference rooms, etc. These should be treated as wireless segments with only defined port access via firewall where traffic is monitored: untrusted. Treat it like the internet.
The muck begins with identifying those systems which are managed (patched by us) and those which aren't. They can break down to 1) assets which were deployed incorrectly, 2) assets which the update process is 'broken' for whatever reason. 3) mobile assets (notebooks) which appear on different segments.. their 'home' location gets lost and 4) untrusted systems (unmanaged systems).
The impact of Welchia/Blaster.D infected systems was an internal DoS attack, a very small percentage of the above issues caused major problems.
Among other things, it's an asset management issue. Tighter controls and processes - and retrofitting an existing deployment is difficult at best. All infrastructure functions (network, systems, etc) must be co-ordinated to accomplish this.
Tracking down 'broken' systems where the update process isn't functional should be a priority. When they are mobile assets, it becomes difficult because the customer/user doesn't perceive a problem - why should they have to bring in the machine?
The last is a development of policy toward unmanaged systems on the network. At an
This whole episode points to major weaknesses in infrastructure design and policies/procedures. Hopefully some things will be implemented before the pain is forgotton.
The above applies to any implementation, not just MS WIN infrastructures...
Simply disabled everyones internet and said too bad so sad. They then forced us to run a 15 day trial of Mcaffee on our computers before they even considered enabling us again. Only after we ran the virus scanner did they nmap our computers to look for open ports, and after they were sure we didnt have any did they enable us.
In college, really poor, need a flatscreen.
Routinely, since the dorm techs are so incredibly slow at everything, I'm the one that fixes most of the computers in my dorm. I just say "maybe later". Not hard. *shrug*
--- Ãther SPOON!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
SEVEN people??
OK, you got me. Sounds somewhat excessive.
I've never been in exactly the same situation as you, but I do work (for about 4 weeks) in one of the administrative offices at a very large university. The network here is highly departmentalized. OIT controls the grand scheme. Then each college or department manages their own systems. Then there are subdivisions of those departments which also manage their own systems. Sometimes there are firewalls in place, sometimes there aren't. Sometimes systems are patched, often they are not. When it comes down to it, sometimes the person in control of keeping a small office patched up is just a student employee. As such, we have problems similar to those caused by your students.
To combat the problem, OIT has started to perform vulnerability scans across the network. If a machine is found to be vulnerable, they are (automagically?) disconnected from the network. I'm not sure how well received this method is, but it appears to work. A week before the big DCOM worm came out, OIT performed a scan and kicked off all of the vulnerable pcs. They made a big deal about how they were going to be doing it before hand also so admins had time to make sure they were patched up. As a result, I think we had very few problems across the campus.
I don't know how well this kind of strategy would work against average students. There would probably be a lot of resentment/confusion at first, and probably a lot at the beginning of each year and quarter. You'd have to find a clever way to distribute patches to disconnected machines and you'd also have to find a good way to let people know what has happened. On the bright side (for you) since we are talking about dorms, everyone in the dorm probably knows of at least one computer person they can go abuse for help when their machine can mysteriously no longer connect to the net.
Yes, I realize that numerous P2P and IM clients exist for linux. I was using P2P and IM to describe a certain type of people. Maybe it would be more accurate to call them AOLers. I'm referring to the mass of people who would have trouble doing any sort of administration on linux.
My sig can beat up your sig.
I am an RA at a college and we have had this problem. We were all handed CDs containing the patch and the SPs to install when ppl got shut off. They are scanning the network nightly and shutting off MACs when they come across an infected one. We are a week into having residents on campus and for th emost part the problem has been solved. They are working on setting up an intial scan so when you first come to the dorms and you sign in, it will scan your machine and tell you what updates you have to get before you will be able to login. They also have the registration for all the computers set so they can dump it at anytime and make everyone resign in if a new virus comes out. The way it sounded is that they will have this set up my next fall when classes start in 04.
The large corporation that I work for just formally adopted a policy that if you are running VPN on your home computer to access the corp network, you must run antivirus software and be patched up. If your home PC sends any blasters or anything else that trend's office scan recognizes, your (VPN) account is disabled, and you must personally get sign-off from a director or higher to be re-instated.
Fines. Send out a campus-wide notification that the owner of any personal computer that is found to be infected with a virus or a worm will be subject to a fine of $25 per day for each day the infected computer is connected to the university network.
Imagine the parking situation if parking enforcement couldn't dole out fines. Thankfully, they can, so all those "no parking" signs carry some weight. If you want to get people to not be ignorant asses over something, hit 'em in their bottom line. It works every time.
Fun with Anagarams! LADS HOST, SHALT DOS. HAS DOLTS. AD SLOTHS, HATS SOLD. ASS HO, LTD.
Get managed switches. If they're spewing Blaster, turn'm off. Once they've fixed it, let them have their network access back.
Why?
My .edu (ITT Tech) does not allow *any* unknown devices on their campus networks. You can be expelled for trying that. Its landline only, so wireless isn't possible. To do a demo or something, you must have it approved by your instructor; presumably it goes up the authority chain from there.
I actually approve of this, despite trying to demo linux on an NT/2k network. Ultimately, the problem is one of enforcing policy at the machine level. What if there *is* no policy?
C|N>K
Already done. Check out Netgear... not to mention several different singly floppy Linux firewalls that work great on the old junk PC.
Finally an OldFart : Keep off MY lawn too!
Anybody who is so stupid that they click on random attachments in vaguely worded emails doesn't belong in college.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
At the university of michgian the IT department has it set up so every single person living in the dorm has to first install all the security patches before you can get internet access or your mail box key. Additionaly, if the worms are trying to spred from your computer they just cut you off and you have to go through a long proccess of getting internet reinitialized. (i have several friends who have had to do this) While getting your internet cut off at the drop of a hat can be a pain, they have kept the network running perfectly since ive moved in, and thats no easy task for a school of 30k.
Search me
MAC address filtering would bring out at least one privacy advocate complaining about rights, and absolute Nazi like controls won't fly at a public institution.
Everybody seems to be advocating the staff doing stuff, do they have the resources to handle every little issue a student comes up with?
VLANs with heavily controlled QoS would help. I also like a script forcing certain patches.
Could the school get a license from an AntiViri company to cover all students, force everybody to run it as policy, script the updates, IDS to ban infractions by switch port or something with would f%$k the student because it might take a week to get around to turning the port back on.
Kevin
Irrational Diversions
of course none of the people that use computers simply for im'ing is going to switch over to linux, but companies, and geeks should.
Northwestern University has a program called NetReg, where new users must register their mac
address with the university to get online (the whole thing is automatic):
NetReg FAQ
NetReg Screenshots
They use all managed switches and Cisco IDS their routers, so when a user trips the IDS, their port
is automatically turned off and the student is called using their information in NetReg.
From their site:
Technical Questions
How does NetReg work?
A user starts his/her computer on a NetReg network and uses DHCP to obtain an IP address.
The NetReg DHCP server receives the configuration request and checks to see if the MAC address in the DHCP packet is associated with a NetID.
If the MAC address is not associated with a NetID, the DHCP server replies to the request with an address from a small range of IP addresses on the network that are used by unregistered machines.
The network infrastructure is configured to force users with IP addresses in the unregistered range to talk only to the NetReg server.
When the user opens a browser window, regardless of what server he or she is trying to reach, that person is redirected to the NetReg server and prompted to register.
The user registers by typing in his/her NetID and password. At this point, the system can get additional information such as the type of operating system and Web browser being used. This information is exported to an external database.
After authenticating with a NetID at the NetReg server, the user is prompted to restart his/her computer. (Steps 1 and 2 above are repeated.)
If the MAC address is associated with a NetID, the DHCP server replies to the request with an address from a large range of addresses on the network that are used by registered machines.
The network infrastructure is configured to allow unimpeded network access for computers with addresses in the registered address range.
Don't just shut them off -- Fine them.
In the delightful spirit of libertarian freedom and responsibility, make them pay "something" for being the ones messing things up. Then, they are given the choice of deciding whether the Miracle of Microsoft Wonderfulness is worth keeping or whether the inhuman agony of switching GUIs and apps onto another OS might have some value.
It's a question of responsibility. If the users don't feel any pain, it all flows to IT.
At the Uni where I work, we shut the dorm network off. Students had to apply the patch and staff had check every computer before the network port was turned on. This was, suffice it to say, an expensive option. It required a lot of staff and contractors.
A colleague at another Uni was scanning the dorm networks and blocking the unpatched systems' MAC addresses at the switch. Once the systems shows up as patched, they can access the rest of the network.
There is hope. I started to run into some brand new systems, from Dell usually, that were patched at the factory.
Kyle wrote: "Maybe bring a line backer to strangle the little geek into submission"
And what happens when it is the linebacker who has the infected computer?
get switches wich can filter on mac adresses
then put a filter corresonding to the mac adress of the connected box on each port.
build a web interface to make admin easy.
Then, once you identify a troublesome machine block the port.
build a smart firewall wich looks for excessive traffic or you might hook your NIDS into it
-- never underestimate someone who overestimates himself
I understand where you're coming from, but this isn't very well thought out.
Imagine if you were fined whenever someone breaks into your house or car -- just because you didn't install better locks/better alarms/whatever doesn't mean that it's always your fault.
Even still, detecting it is going to be a problem. If you had a mechanism to immediately identify infected machines, it'd be far easier to stop/block/patch them.
I find it odd that someone hasn't written a tool that you point at a remote blaster-infected computer that will install the patch (The counter-worm is bad because it continues to attempt to patch other machines) What would be the best is if you had a daemon running on your computer that counterattacked each computer attempting to infect you and installed a patch and closed the hole directly on the attacking machine only.
running Mac OS X and I haven't had to lift a finger to do much of anything for more than a year
That's what I call a boring life. Compare this to the action packed life of a Windows(tm) Admin. I can imagine the next Microsoft tagline:
Windows: Bringing Unlimited Action to bored System Admins, since 1981.
getSexySig();
i've never dealt with this before, but couldn't one make students run a system security test before being allowed to go on the network? like a CD that chcekcs for different worms and whatnot. the only problem would be the mac/linux students. maybe have some kind of reward program for them -- picking a better platform and all :)
WTPOUAWYHTTOTWPA
What's the point of using acronyms when you have to type out the whole phrase anyways?
Here's an e-Mail that I got Friday that pretty much explains how my school, FGCU handled it:
Student Housing Residents:
As you know, network access to student housing has been unavailable for the past few days. We are working on containing and controlling an outbreak of a virus that has been crippling our network. Unfortunately, there is a great deal of virus traffic coming from student residences. We have created CD's that contain Microsoft patches, Anti Virus software (trial or freeware versions) and specific fixes for known viruses (free fixes). We delivered the CD's to the Student Commons building so they may be loaned out to anyone who needs it. We have included instructions on the CD to check for the virus, update the OS and install the Anti Virus software. Please install or verify that your machine has these Microsoft updates and has at least one of the Anti Virus software packages loaded and running as soon as possible.
We have restored access to several residence halls on campus (A, B,E,F,M,Parts of phase 5). However, we are still seeing a large amount of virus activity coming from the residence units we have placed back on the network. It is imperative that everyone check their computer for virus's, install the updates and install an anti virus software package. We may have to turn off individual rooms in the residence halls in order to be able to restore access to the entire university-housing complex.
Once network access has been restored, make sure your Anti Virus software is set to automatically update its virus definitions or that you manually do it the first time and then set it up for automatic updates. Please keep your Microsoft Windows machines up to date by using the Windows update feature, found in all current versions of Microsoft Windows.
We encourage you to purchase an Anti Virus software package and maintain your subscription to the updates. The university uses McAfee Anti Virus, however, any well-supported Anti Virus software should be fine. Many Anti Virus software packages can be purchased locally at various stores such as Wal-Mart, Office Depot, Office Max, Circuit City and many others. You can even purchase and download the software off of the web from the manufacturers web site.
The current virus does not affect Macintosh or Linux/Unix computers, however, it is still paramount that all computer users install, maintain and run Anti Virus software on their computers.
We hope to bring the student residence buildings back on line soon. We appreciate your patience and understanding.
Charlie Weaver
Coordinator Computer Control Systems
Administrative Computing
There really aren't many *good* P2P clients for Linux.
If you know of any, please feel free to enlighten me, but other than BT and eDonkey there ain't much (which means it's hard to find small files like MP3s out there).
+++ATH0
... is to redirect all web accesses from compromised machines to an automatically generated webpage with the patches they need to install.
:)
The department techs are planning to roll out an unattended mechanism whereby we security scan everyone's machine - any box we find to be vulnerable will have all web page requests redirected to our server, which will give them the precise set of patches / AV tools they need to apply to close the hole.
All other network connectivity bar DHCP and DNS will be dropped. When the spider notices the box is secure again, it re-enables connectivity.
DoC don't actually look after dorm connections; this system was designed to handle unmanaged machines that might get plugged into the department network, use VPN, or connect over wireless. But it could be used to solve this problem, too.
The best feature is that it's completely unattended. (Well, apart from updating the signatures and answering questions from the two people who can't work out how to fix their machine. But you'd rather do that than go through level after level of applying security boxes to PCs, wouldn't you?
It also doesn't put any constraints on what students can put on their PCs; we just make network access conditional apon not being rootable.
Netreg is a DHCP/DNS pseudo-server can also scan for open port 135. The student connects the computer and Netreg hands it an IP in a restricted domain and maps every IP address to itself, so the user can't go anywhere. (You can also alias windowsupdate.com to 127.0.0.1 so that the DOS attack won't affect anything) Copies of the various patches are on the Netreg server, so students can update. Until they patch the holes and agree to our user policy they might as well not be on the net. Once everything is ok it hands the computer a real IP and points it to our real nameserver, so after that they don't notice anything odd.
The Packeteer can shape the traffic on and off campus. We were burning huge amounts of bandwidth on ICMP until we told the Packeteer to kill it. This thing is a great tool: we can tell it to shut off all P2P traffic during "business" hours so students can't affect net performance during classes, we have it prioritize traffic so that email is assured, etc.
"Seven Deadly Sins? I thought it was a to-do list!"
I'm with a small IT shop (3-4 people to handle pc's and network) at a private college. Our situation is something of a nightmare.
/.ers suggest to reign in the behavior of students and their machines when there is no budget and (seemingly) no interest in doing it right.
First, the network. Two dorms, one housing about 450 with a new network (cat-5e/fiber, switches, dhcp, NAT and Packetshaper, Cisco router). The other is just wrong, housing 330: cat-3/5/5e/fiber, 10 & 10/100 hubs(???), 2 class c's, one thru firewall/NAT SOHO dsl router(???), Packetshaper and Cisco router.
The freshmen have been here for 3 days now. Our ISP has been threatening to shut off the dorm since day 2.
There are (we figure) dozens of machines with Blaster/Sobig infections and basically everyone is running some sort of p2p app, mostly Kazaa.
Bandwidth is basically saturated to the point of being useless (machines can't pull IP's) and out network admin's attempts at packet shapinging are less that stellar, often resulting in a nearly useless network.
There is ZERO desire for our shop to bear any support responsibility to the student population (you touched it last syndrome), other than ensuring the network lines are working.
There is no money (so we're told) to fix it the right way (replace the network) and the powers that be are not open to suggestions from lowely, yet knowledgable techs.
What, other than swift and random violence, would
Just because something isn't "supported" doesn't mean that no one will run it. Half the users (more?) on an average college campus don't even know, much less care, what OS is running on their machine - they might have some nebulous idea that it's "Windows" but other than that they're clueless.
What do you suggest they do? IP fingerprinting to find out what OS everyone is using? Portscanning the network to find out if the 13x range is open? What if they're running Dave or Samba?
You can't do this to people - especially if you want to have a school that is technologically well-developed and has an attraction for computer science / E.E / other technical majors.
No. The best way to manage these kinds of issues are with the network in a free educational situation, not with users' machines.
+++ATH0
The NT login script already mentioned is pretty effective but, of course, assumes that everyone is logging on to an NT domain. Detecting infected machines and then denying DHCP services, denying proxy access, nuking them, etc., may or may not make sense depending on your network setup and how dictatorial you are allowed to be--but they are valid options depending upon how widespread the problem is and how bad your network is hurting. Passing out information and/or CDs, of course, is a must and I'm sure you've done that (some people want to do the right thing). I would try to scare them too--telling them about how they could have their computer seized by an evil dark hacker and all of their files could be stolen/corrupted, including passwords. If responsibility doesn't motivate them, sometimes concern over their 4Gigs of pr0n does.
I hesitate to say this next part because I don't want to sound like a commercial and it's not an option for today-right-now anyway, but I know of a couple universities and several companies who ditched their core routers (and most perimeter ones) and went with a commercial firewall that has the ability to not only serve the function of routers, but also has the ability to run virtual firewalls and virtual routers so that different departments can maintain their own ruleset while root-god user can make sure they are not too leniant. Combined with IDP software/appliances, it can give you the ability to stop the harmful traffic while logging infected users, then do what you will with the infected machines. If you want more information about that option for future planning, let me know because I don't want to plug a specific product. And, no, I'm not a sales guy--I just like the product. In talking to the guys who use it, when blaster and sobig came out they pretty much sat back and said, "Must suck to be those other guys."--Willie
Here at Sonoma State University (www.sonoma.edu) they started out the year by turning all the ethernet jacks off right from the get-go. In out "Welcom" package they included a CD with all the patches for us to patch the computers in our dorm. After this was completed we had to call IT and wait around for them to get the jack number, verify that either you weren't running Windows or if you were that the patch was properly installed. Then and ONLY then would they activate the jack. This caused major problems, it took 2 days for me to get my connection up and running, and I was running Mac OSX! It was a royal pain in the ass for both students and the IT workers who had to run around to all the Residence Halls. I guess it was pretty effective, but when someone reformates and reinstalls windows 95% of them will forget to install the latest patch.
Erin Go Bragh!
scan and ban.
Just look for open, exposed machines, and ban
their IPs. You'll get the owner's attention
right quick.
...welcome our new Nazi overlords... wait a minute
The hell I do!
Nazi faggot
Do not meddle in the affairs of geeks for they are subtle and quick to anger
How to handle it? Easy! Switch them to Linux...:-)
I'm sure that you have an AUP which attempts to dissuade people from running servers anyway. Just block incoming traffic to nonprivileged ports and 99% of the network-related vulnerabilities go away. I don't know how you're wired exactly, but just unplug people who don't maintain their machines, or remove them from the vlan if you have people on vlan-capable switches, and one to a port. If you're wireless, deny their MAC at the AP. And don't rush to reconnect people who are problems, take your sweet time, and handle them in the order in which you disconnected them when more than one of them appears. Tell them if they don't like it, they can start worrying about security, and send them an email or give them a handout on how to stay updated and firewalled. Obviously it's not all sent through the network, sometimes it's through email and stupidity, but this will prevent internet-transmitted worms from infecting machines, and still allow people to use most any application. You could always allow specific ports through if you did want people to, say, be able to run a webserver on their dorm connection, though I can't imagine why you'd want to.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Hi, I'm the AC you're responding to. I use AOL. 8 years of emails in proprietary formats are hard to just throw away.
I guess the moral of the story is to try not to overgeneralise.
Posted from Debian/GNU Linux SID
and this happens on/at a univeristy. don't get me wrong, but hey! these should be smart people. as for automatic patches by script on log on, this means i have to trust the admin of uni network. i quit my uni because the admin didn't want to give me a hard IP (192.168...) but insisted i use DHCP. baeh! i think it's a flaw or the essence of the network that i can about do what ever i want, once i'm on the network. best thing to do, like always is educate your users. set up a fileserver with the newest patches/updates/information/links. the network speed/intelligence is the sum of the users that make up the network. if the students just want to be hip, e.g. be " "on-line" " but don't care or know about it, too bad -> crawl. ... one way would to have the admin "certify" your personal computer (cost of time, how big is uni, etc.) or reward up-to-date students (limit bandwidth for "dumb" students so they can't bring the whole network down). install more configurable routers. use a) 192.168.x.x and b) 169.254.x.x and c) 10.x.x.x.
like i said before, if you're on a network you can do whatever you want. this is "fundamental" to any "open" network. well, i'm still thinking about a technical solution
a) addresses for "dummies" b) for not so "dummy" (maybe Linux users?) and c) everythings okay! now it's up to the router. something like that. maybe even split it physical (different ether-cable.) and yeah, more routers!
this reminds me of kindergarden!
...is that this must be done in several batches because of those stupid fucking "You must install this separately from other updates" ones, and others that require reboots before further patches can be installed. You have to babysit the process to completion, and today's short-attention-span-having users just won't do it.
The way Apple does the patches with OS X works much better. With few exceptions, they all download and install in one shot-- including all 10 or so of the security patches released in the past year when Jaguar was released. The only exceptions I can think of are the cases where someone has version x.0 of something, x.2 is the most recent, and Apple hasn't made a combo updater to go directly from x.0->x.2 so the x.1 updater must be run first.
Riiiiight!
and soon we're going to get invaded by aliens. a major flood is going to hit your home-town. a tremendous earth-quke is going to destroy a major city...
fun that the power-grid in america and england fail before someone discomvered a major security flaw in Linux. probably THAT is the major security flaw of Linux: black-outs!
I know it's a pain to lose ping functionality, but in the case of Nachia, the fastest way to stop it is to put a filter on your switch. If you use Cisco 65xx's with the Policy Feature Card, you can run the following commands:
set security acl ip WORM deny icmp any any echo
set security acl ip WORM permit ip any any
commit security acl WORM
set security acl map WORM 1 (or whatever VLANs you have)
If you have some other product for LAN switches, shame on you! Well, there probably is a similar filtering capability if you have the right components.
I've been involved in cleaning up after SQLslammer and Nachia on a rather large network. In both cases, I found that router filters were difficult to implement without causing the filters to kill the routers (except on a few very new high-end routers). The PFC claims to work at wire speed. In practice, I've had a hard time proving them wrong on that.
This filtering technique will allow you to drop packets as soon as they enter the switch. Basically your doing a L3 or even a L4/L5 filter (tcp/udp with port) on a device that is really operating at L2.
A couple things to note, you can't log the packets and once you put the filter in place you probably won't be able to determine who is sending junk, but you shouldn't be patching machines for a worm by going after the infected ones... every machine in the network needs patched before you lift filters regardless of whether the worm is still in your network or not. If not, it will be back!
Give each dorm room its own unique IP address and then force the users to register all of the MAC address for their equipment.
This way you can isolate individual users from the network and cut off their access if problems arise. Sure, DCHP is better in a perfect world but we're not talking about a perfect world, we're talking about a college network.
Handling user grown machines? Just groan at the users.
My college, in response to Blaster, Nachi, etc., recently told students to download a copy of Vexira Anti-virus, for which we have a site license. One of my non-CS friends (yes, /. geeks can have non-CS friends) did just that and, since she (yes, a female, at that) had little computing experience, deleted every infected file. I'm only a UNIX admin with very little Windoze experience, so I'm not sure if deleting the infected files had something to with it, but XP Home refused to go past the login screen. She has been going through something of a family crisis, so I was up until about 1 in the morning getting her machine back into working order without losing any data. I succeeded, but it was still pretty stressful. She didn't really care about having a clean computer; she just wanted a working computer.
In short, just telling students to download and run a program they don't understand to clean up their computers isn't going to work. At best, no one's going to do it, and at worst, it's going to f*ck people's computers up, creating more of a support mess.
We actually have webmail blocked on campus because the servers can't handle the load. Ha.
Spoon not. Fork, or fork not. There is no spoon.
Thanks to £25 WiFi cards and the ease of turning on ICS with WinXP, my IT department are bugging for the money to buy a 2.4Ghz magnatron so that we don't get the whole towns virus/pr0n/hacking/general trafic as well!
Exemptions are being granted on a case by case basis, and a minimum requirement is something like Kerebos+IPSec+a very good IPchains config, but lots of people don't even seem to have considered they might need permission and just plug in wireless routers.
Beep beep.
Uhm... no! This was done. In fact one of the variants of the last exploit actually patched an exploit. The problem is that it was too hard to control and it brought down networks as it crawled around patching machines. Worms are not the answer.
Phone and leave a message with instructions how to get help, and provide how-to-fix-it guides at their hall's front desk. Give them a chance to fix it if you can, and tell them the timeline ("You have 24 hours before we will have to take you offline. Here's how you fix it:"). If you have to disconnect their port immediately, then you must contact and guide them to help.
Internet access is necessary today (preaching to the choir here!), and you should never disconnect someone and then wait for them to wander into your office to help them. Anyone who reads /. understands that.
Hand out a CD when students want to connect. It should have a script that checks and makes sure the OS is fully updated and runs a virus checker.
After it passes all the tests, it will let the machine connect to the network.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
I work at Information Services at my university, and we have an automated system that disables connections by MAC address when infected users are detected. Combined with a pretty wide PR campaign (we got a university senior vice president to email everyone on campus regarding computer security) and distribution of thousands of CDs containing the patch, fix, and antivirus software, this has been pretty effective at containing the outbreak. It actually ends up being less work in the end than making EVERYONE get checked out by us before they connect.
Between your simple classes and a proposal to ban M$ computers that polute networks, I think we have a solution to the problem. When student machines blow up, you kick them off the network and give them a CD with their choice of Distro on it. Knoppix will get them up so that they don't miss much and they can blind the windoze side to the network and dual boot or simple wipe that junk for good.
Friends don't help friends install M$ junk.
I know at my school our procedure against the worm is rather interesting. We have recently installed new cisco switches in most of the dorms. In an effort to block the worm we have already blocked all incoming traffic of the blaster and Welchia worm (actually the Welchia worm has probably generated more problems then blaster). Then on the switch level we are blocking all pings to prevent blaster from scanning to spread itself. However it is still a complete mess. These measures have isolated the problem so as not to overwhelm the network. Our plans are currently considering removing the blocks from a set switch, scanning to get a list of all the infected/unpatched machines. With this list we can e-mail the students who live in a room that has a computer in it with the worm. Our other measure is that we are currently running Novell and students can login to the novell network (for installing certain apps etc). However a large percentage of students do not use this, and are unaffected by scripts that we run to scan every machine logging on for blaster and welchia etc. Of course this method also has the problem of user ignoring which is just as disastrous. Users have grown accustomed to closing 20 different windows at once when starting their computer and ignore them.
There's really no easy way to fix an outbreak, but to try and contain it from affecting the main networks. Of course this requires expensive equipment, but I'm sure the University is quite glad that they were buying this already.
Phil
I can think of two things to do that are pretty easy.
1) Post notices on the entrance to the dorms with step by step instructions. Point them to free tools to clean their machines from www.SARC.com. Give them the exact URL! Same for the URL to the patch. Put these on tear off strips at the bottom of your notice. Most times, telling people there's a problem with infection is all it takes to make them aware they need to do something. Having the information at easy reach is the best way to get them to do it.
If it's hard, they won't do it.
If it takes work to find, they won't do it.
2) Have your underlings march out to the offender and fix the problem. I don't know about you, but our university had WAY more volunteer help than we could use, just so they could put down computer department on their resume's. When an infection that causes a lot of traffic resurfaces, have your volunteer geeks re-walk the dorms.
There doesn't always have to be a technical solution. Sometimes, meat space works.
If you get someone that won't willingly comply after being asked nicely... physically remove their connection at the patch panel, they're too stupid and inconsiderate to use the net
-=-Ze End-=-
We used SOPHOS at my college and simply refused to allow a student machine on the campus network until SOPHOS was installed on it and set up to get its virus definitions from our central source. We gave every student a CD with a simple double click installer that did everything for them. Once they ran the installer the last step of the installer was to notify the IT dept with a bit of machine info so that we could allow their machine to function on the network. And to solve the question about what happens when you reinstall Windows is solved by SOPHOS as it is able to generate a daily report of all machines on the network that are not running SOPHOS. When we found a machine not on the network that wasn't using SOPHOS, we would simply disallow all connections to and from that machine, no matter what network jack they plugged into. We also sent them an email (knowing they would use a friends computer to check their email before they called us) informing them that in order to restore their service they would need to bring their machine to us and have SOPHOS installed and setup to run full-time. If they didn't call us in a day, we called them and left them the same friendly message. After the initial onslaught of machines in Sept, we dealt with about 3-5 machines per week that did not have SOPHOS running. I should mention that this was a small college on a hill with about 1700 students, so it may not be the answer for everyone, but it certainly worked well for us!
.....as long as their machines are installed with a management agent of some sort so you can quickly spot trouble.
Not for spying on what they're doing - and that's got to be a careful compact between you and your students - but for specific breaches - open relaying, DDoS zombies, etc. as well as maintaining security updates.
Wouldn't hurt to have a specific "Bill of Rights" for campus computer users as well as the admins, so everyone's on the same page.
To have ambition was my ambition.
How is it that you can compare this one isolated incedent to every campus and business in the country being plauged now? I just heard of a whole major industrial complex being shut down because viruses blew out their silly Windoze servers as well as many desktop machines. The compairsion does not hold water and the FUD needs to point the other way. This other OS is presently screwing everyone with little or no user intervention and despite tremendous efforts to undo the problems by people who know what they are doing. Your little 900 person problem is like a marble orbiting around the sun, invisible by scale.
Friends don't help friends install M$ junk.
What do you think happens when *each* and everyone of them goes on KaZaA because they can't share anything? Not to mention how they'll whine about how they can't cooperate because no one can access the others' files (short of sending project documents back and forth via email or something).
I don't think that thought it so well thought out....
Kjella
Live today, because you never know what tomorrow brings
With Novell you can have the control that you require. When you want to control the patches, Novell can. When you want to control systems you can. You can have policies that only allow use of the firewall from systems known by the Neware network.
With Novell being there for any operating system, you do not have to rely on AD. I am not up to date enough to know to what extend you can control Linux systems, but Windows systems can be totally controlled by the system administrators.
To make this work it has one BIG requirement: as a system operator you have to be transparant in your policies. Lab systems are NOT dormitory systems and therefore have different policies. Your students are CUSTOMERS. Treat them right, they may grumble but will not complain.
Thanks,
Gerard
I wonder if Zone Lab's Integrity would do the trick?
In that configuration, they can surf the Internet freely, and can download anything they want, but can't mess up anyone else.
That's the default configuration. Students who want more have to go through the exercise of securing their machines, after which both the student and the machine get tested. Then they get more access.
Actually, I think that you're ignorant. It's true that you don't really need a computer to teach CS. You don't even need a computer to teach programming (and please notice that there's a difference). Your mental image of CS is probably kiddie-dom - learning how to do 1337 stuff with computers. CS is more; it's about doing 1337 stuff without anyone noticing you. It's also about designing systems that don't crumble to dust at the slightest mention of malicious code. It's even about providing means to keep parts of your privacy when the government is after you.
Computers are necessary to bring those dreams back to reality after they have so thoroughly been destroyed. They make it so much easier to solve the problems they caused in the first place - which is fun sometimes.
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
NAT is all well and good but as soon as you let anything interesting through, like, say, email. You have almost as many problems as a direct connect. On top of that, with activeX controls you can tunnel anything through port 80.
If I were in a dorm and some luser down the hall decided to bring a virus onto a network that I'm on I'd take his ass out back and beat him, let everyone in the dorm know so that they can join in. Once this happens a couple times I'm sure everyone will be in the habit of keeping their machines clean and up to date.
Perhaps not, but the average student who is plugged into the LAN probably is for a reason - if they actually want to use the network for anything, they'll need to register their machine and get DNS set up, which I am sure is sufficiently effective to 'encourage' people to patch their systems and have them checked out.
create your own System Update server, yes it is a M$ product, tie the reg hack to the domain login and poof! push the patches as needed to the M$ computers on the wire. We rode out the last two worms fairly easily this way
. The other thing is to "require" one of the managed virus scanning software packages (McAfee and Symantec as example) that have a local update server package (LiveUpDate for Symantec and ePolicy for McAfee). That way you can be reasonablely sure that PC's on the wire are kept up to date with the current DAT files.
~corporate tool, but employed~
You never played the lottery? Let me ask you another question.
Do you have any kind of insurance?
But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.
I know I know, it's just a joke. Well, I just had to get this off my chest.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I work as a student tech at my university, and their solution to the whole problem was to let everyone get infected, then patch and fix every computer on campus. While doing that, we are supposed to try to convince students to set Windows Update to automatically install updates.
Personally, I think this this is the wrong approach to the whole problem. Simply educating the computer users out there to click a few spots on the screen seems more efficient than wasting resouces trying to have (overworked and underpaid) stuff to do it. Isn't the whole point of institutions of higher learning to prepare people for the life, rather than preparing them to live a life of dependance on others for the most basic things?
my school turned off every network connection untill a blaster fix was installed and scanned for the infection. seemed to work great except for IT was understaffed and it took them a while to cover everyone. i would personally rather wait for this than to have a giant disease pool.
That's not FOR Linux though. Which reminds me - why isn't there a native WinMX client for Linux?
+++ATH0
Here at my school, our OIT department decided to simply unplug each dorm room from the router in the building. After doing so, they required us to sign up for an inspection. They went room-to-room, testing machines, running McAfee's Stinger, and installing patches and McAfee AntiVirus. They visited my room 3 times, concluding each time that I was running Linux exclusively. Which isn't entirely true--two of my machines are FreeBSD boxen, and the third dual-boots Windows/Linux--but most of the people I talked to aren't quite *nix-savvy. Take this conversation for example...
Me: I run FreeBSD on my laptop.
OIT guy 1: Okay, boot it up and show me.
I show OIT guy 1 the output of 'uname -a'.
OIT guy 1: Show it to the guy over there with the list.
I show my computer to OIT guy 2.
OIT guy 2, to OIT guy 1: Hey, what AV software are we putting on Linux machines?
Or on visit 2...
OIT lady 1: Hi. I'm here to inspect your machine.
Me: I run Linux on one machine, FreeBSD on the other two.
OIT lady 1: Uhh... I have to go get the guy who knows Linux.
OIT lady 1 runs down 2 flights of stairs, and comes back with OIT guy 1.
OIT guy 1: I've already looked at your computer.
Me: No shit.
They finally have turned most of the network back on, and according to Microsoft's KB823980Scan tool, there are 5 unpatched machines in our dorm already. See the output from when I ran it this morning. We lost network access last Friday (8/22), and finally got it turned back on in our room on Thursday (8/28)--even though both my roommate's Windows machine and my machines were clean. If you want to read more on our IT department's odd solution, take a look at the OIT department's blog, or at the school's ACM chapter's discussion of the issue.
"Hu, ho, ho-ah-oh-oh-oh. Hu, ho ho-ah-oh-oh-oh. Mario Paint! Whoaaa!"
And what happens when it is the linebacker who has the infected computer?
Send TWO little geeks, of course.
If you're a zombie and you know it, bite your friend!
At my uni a few years back, to get on the network required a software installation. (Or so they told every single student coming in.) The ones who were clever enough to realize you didn't actually need it were usually the ones who could figure out how to patch their machines.
:)
Everyone else bought the software kit, which included SSH clients and a nice antivirus kit, which auto-runs the first time it's installed. It seemed to work okay for us.
2) Segment the network with VLANs.
3) On each VLAN run a *nix box running snort, DNS and an email server. If snort detects an infection it should drop an automated pre-made "fix it" email into the users internal mail box (including any relevant patches and instructions) & drop their access to the DNS allowing the user to only resolve the internal mail server.
4) Once the user has "fixed" their machine, they can send an internal e-mail to the IT department who can then confirm that the box has been patched before allowing the user DNS access.
This would simplify and serve to help automate the whole problem solving routine.
The only drawback is that the students *may* not be using the DNS server as supplied by the IT dept.
I like Raymond's solution to Windows problems:
Q:.
I'm having problems with my Windows software. Will you help me?
A:.
Yes. Go to a DOS prompt and type format c:. Any problems you are experiencing will cease within a few minutes.
It may not be a nice solution (to some) but it will be a permanent solution to a very anoying operating system.
Works perfectly. Gets it patched.
I know that I wouldn't want some person I do not know "examining" my computer for patches, etc. nor would I want said person to knock on my door early some Sat. morning saying "Oh, you have that new virus, I'm hear to fix it. Point me at your computer and give me your password."
I think the only reasonable way to handle the issue is to detect and block access for infected computers. When the user calls, inform them whey they were blocked and give them their options to fix the problem:
* Patches...lots of patches...
* Anti-Virus and a well controlled Firewall...
* Trust the campus tech...
The last option would of course have to be a very strange agreement where the college guarantees nothing, but will do their best.
Also, each semester, give out a leaflet about basic computer security / maintainence...on the back do the whole scary statistic things that always gets managers at work to buy things (you know: vulnerabilities found in the last 6 months: x for windows, y for linux, z for Mac OS...Number of new viruses in the last 6 months: a for windows, b for linux, c for Mac OS) Also, providing a option to sign up for a campus email about new vulnerabilities and worms may help.
I have noticed that some people keep saying "install *nix"...This does not stop future problems. It just reduces the number of current worms and adds to the confusion of most users.
Dear People,
.... Maybe provide free evening courses in the dorms provided by the university/college CS-students (paid by the university). HELP FOLKS LEARN ..., it is a waste and mistake to take care of all the problems for them. Maybe CS at MIT will put something up on the MIT-OCW website (http://ocw.mit.edu/index.html) for all US to use.
. They need to learn. Also, campus networks and admin need to help them recognize HW/SW/Security problems, avoidance skills, and good maintenance habits.
. The MS approach of do-it-My (My=Gates/Microsoft) way is very dumb, because it does not provide experience for the future. DO NOT SPOON FEED the grown child, help them mature. Create a network that impacts upon their personal computers' performance with switch-restricted bandwidth access. Use switches to switch-blade-hubs that limit bandwidth access and/or the total hourly, daily, a/o monthly data transfer allowed.
. Gamers would be the first to clean up their machines/software after a DHCP server reassigns an abused (due to DDOS Trojan running a flood-ping) IP address back to the available pool and they need to log-on again to play the LAN/Web-game.
. Okay, this is an odd one for me, but [PLEASE!] find a way that puts the responsibility on the student to learn how to properly maintain their HW/SW/Security
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I live in Staten Island and it is probably the most technologically-agnostic borough of New York City. We have four kinds of accepted people here - Guidos, Thugs, Wannabe Guidos, and Wannabe Thugs. Everyone else (especially techies) are highly marginalized.
+++ATH0
If your dorms are wired with ethernet switches supporting 802.1x MAC level authentication, turn it on. Cisco, 3con, broadcom, enterasys switches and many others support it. WinXP has a supplicant built in, and there are supplicants for linux and other *nixes. Have disks ready to go for everyone without supplicant software so they can load it up under lab rat supervision.
/. ID of 5 digits or less, and a karma level of excellent :-)
Students don't get a login until they bring their machine to the computer lab to be checked out. Since you force them to come to you, they have to do all the heavy grunt work, just have lots of tables with power and a network drop, like a big LAN party. While they are there, you can teach them about the 802.1x login procedure.
Those running unsecure OSes must show they have a licensed, up-to-date virus scanner, that it has been run immediately before coming in, and they have the latest M$ patches installed. Until they can do that, in person, they don't get access anywhere on campus. Since the MAC address of the ethernet card goes along with their login, they can't just use their room-mate's ID. Students smart enough to know how to switch the MAC, and then forge an 802.1x login are clued enough to really fsck up your network and tend not to run viru$-ware from Redmond.
While you have the loser's machine just sitting there, don't just check for anti-virus and licenses, but also port-map their machine, make sure all useless services are turned off. No rogue DHCP servers, no faux-root DNS servers, no win messenger, no RPC, or back-orifice. In XP, make sure the firewall is enabled. Make sure they understand (have a sheet for them to sign) they are responsible for staying patched and AV'ed, and if they infect the network they lose access for the rest of the school year. People without access will be forced to use the old Macintosh Pluses sitting in the lab to do their school work.
And any loser running *nix, check they have a
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
We used the MS tool to scan as well, however I found that it reported several windows 98 machines as "unpatched", false positive as 98 was not vulnerable.
The sentiment behind this pithy observation is that computers are designed to be versatile and powerful, and this concept is fundamentally antithetical to security.
Unless you are going to make everyone run identical computers and software, you can't lock down the computers. The only choice is to lock down the network. Improve the ability to detect, diagnose, and isolate problem machines. Assume that the worms will come and they will infect machines, and plan on how to catch them, disable them, and reduce their impact as fast as possible. This requires investment ahead of time in software, hardware, and training. Make this a primary consideration in how you design your networks.
Additionally, make it as easy as possible for students to get security updates. Mirror them locally and make lots of cd's, if is legal. Produce your own clearly worded intructions/FAQ on where to get the software and information. People are lazy; you can make it hard for them to find stuff and then feel superior when they don't upgrade, or you can make it as easy as possible to do the upgrade and save yourself pain.
Can probably find people in the dorms with sufficient knowledge to help J. Random User with updates who will work for pizza.
Most universities have a newspaper of some sort, and the reporters are always looking for stories. A call that "Drom X" can't get on the internet because of all the viruses on the network. That won't nessicarly get to the right people at first, but it will get word out, and that will help.
Don't be afraid to firewall the dorm from the internet, telling the reporter that you did it to protect the rest of the network.
At the very least you will give some studnet reporter a chance to write a story, and educate herself (you wish) on the issue.
Says who?
It's the university's network. If they wanted to, they could mandate that the only systems that are allowed to be connected to the Internet are the public labs maintained by the IT department.
Who are you to dictate policy to them?
Keep non-official machines in a separate area. Treat it like the internet. Don't grant them special access to anything.
That way, at worst they infect each other.
Microsft SMS and McAfee ePO.
Do what we did: turn them off. When you find an infected client disable their port on the switch. When they call the helpdesk asking "Why doesn't my internet work?", then you can tell them "Because you are a moron. Fix your shit plz."
Greg Poirier -- Magic Fairy Bunny Princesses, Inc.
There are not that many M$ servers out there. 99.99% of hack attempts I see in my logs everyday are targeted at an M$ system...
I will adapt
...of worms, but because massive ammounts or pr0n is being downloaded and uploaded... There is so much pr0n I don't know when they would have time on thier hands... (no pun intended) ...to get infected with a virus or worm...
Typical knee-jerk reaction.
... and try to stop that knee jerk ... it is unhealthy.
Ever read anything about India or China? or for that matter Mexico or South America? or visited one of the United States' major cities and wandered off the tourist track? or how about the "no-go" zones in London? or how about South Africa?
Point being - even though the immigrants you meet may be intelligent, witty, and the life of the party - no wait that's television!
Look at the countries these people come from. Would you want to live in China, India, Zimbabwee, Nigeria, or Pakistan? Don't kid yourself. You wouldn't last one week without American Idol - that is if a native didn't kill you before hand for invading his country.
I am reminded of a remark made by a African friend of mine in college. Keep in mind she grew up in Detroit, Michigan, United States. She stated rather bluntly, "You can take the nigger out of the ghetto, but you can't take the ghetto out of the nigger." Expert words from an expert on the subject.
Its people like you who lead the United States on its current path to becoming a third world cesspool. Remember, Indians create India, Africans create Africa, Chinese create China, and the Mexicans create Mexico. Europeans create the Magna Carta, strong civilizatons, medical advances, and go to the moon.
Try and refute
I'm a student PC/Net tech at a small college (1500 students, 400 staff/admin/faculty). We use an AD domain to corral our users, so to speak.
We did some testing with the Blaster patch before we encouraged our users to download it; I always check Bugtraq, personally, before I put anything on a machine I'm responsible for. Once we decided it wasn't breaking anything (at least it didn't break anything for us) we burned it to a whole bunch of CDs (with the Symantec removal tool, the Win2k patch, the WinXP patch, and the WinNT fix). Each RA/helpkid/tech also got a corporate edition of NortonAV on a disk (we have a site license) with instructions for students on how to update their virus definitions.
Each RA got this disk. Each help desk kid (there are about 15 student help desk kids) got one, and the other five PC/net techs (other than me) got one. We marched around campus for about a week wearing very visible "TECHNOLOGY SOLUTIONS CENTER" T-shirts and essentially infiltrated dorm life with our antivirus software.
Were there huge network slowdowns? Oh yeah. For the first day and a half when students came back there was little, if any, network connectivity. But the RAs were adamant about having the kids run the patches and install NAV. Did we use guerilla tactics, like disabling network ports or confiscating network cable? No, not at all. We just made help extremely visible, and with a horde of student tech workers getting $5/hr, it was not so bad for cheap labor for the college, either.
You might bitch and moan and say that a college kid with a virus will never go talk to his RA, but we had mandatory floor meetings for every floor for every hall across campus, and when you've got 20 kids and one RA, it's pretty easy to reach the end users. Users only understand that "my computer doesnt work", and you can bet that a college kid at a small, tech-oriented campus will go see his RA if he knows his RA can help him. (If the kids think the RAs are totally bogus, then there's problems with administration that have nothing to do with computing and is for another thread entirely.)
Do these tactics make Mac/Linux users feel discriminated against? I saw some whining in the comments about this, but guess what: Even if an RA is minimally intelligent in the realm of computing, he can PROBABLY tell a Mac from a PC. Mac users get left alone (like me.)
Full network connectivity returned at about 9 in the morning on the day after move-in. (you'd be surprised how fast 30 RAs and 21 tech kids can move.)
You might also bitch and moan and say that students shouldn't have L2 domain admins. Okay, I can understand that. One kid got forcibly removed from our staff last year for leeching software off a drive he had permissions to, so no, it's not a completely perfect solution, and a lot of trust is involved. But it worked okay for us and minimized a lot of headaches.
Angry IT woman in big clompy boots. And talking lint!.
Send them through. I need the work. This is the MS-Blast support line at Microsoft. We'll help clean the virus off your system and there is no charge other than your time.
6 955
See link below if you want more info (the phone number is also listed) http://support.microsoft.com/default.aspx?kbid=82
The univeristy should roll its own linux that has everything necessary for the student and only allow that OS to operate on their intranet. Anything else is only allowed to operate outside the internal network.
This way students can still exercise their freedoms online, but will be in compliance with university policies. This is well within the already defined rights on American (and possibly European) campuses.
Firewalls and packet filters aren't just for the outside edge of your network, they can be used to protect your intranet also with your users existing in the middle of the two edges (AKA a perimeter network).
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
This gives us the following benefits:
1. Only machines we want to have on our network are there. This usually means that we give out IP addresses in exchange for the basics - a MAC address and the location of the machine. Higher levels of management of clients has its costs, so that'll be down to the individual manager to decide (for instance - only machines running OS xyz, or only machines we have root/admin access to, only machines built with our spec/OS and connected to our auto patching architecture, etc).
This means that we can, in extreme cases, remove someone from the DHCP lists, and flag their MAC up in arpwatch. In the case of "students arriving at the start of term", there is quite a flood of applications at the start of term - combined with teaching them how to find their mac address (solved with a flier in their matriculation pack). After that, it slows to a trickle of applications.
2.With managed switches (and really, who DOESN'T use managed switches in large networks?) troublemakers can be sought and disconnected in times of strife. You have their IP address AND know which switch/port they're on (through the MAC/location registration process). It really is up to the user to come to the IT staff in the event that their connection drops. We have disabled specific ports on network switches in some cases, which is a far more useful solution than removing DHCP entries, but for public areas the DHCP block is what is needed (laptops in libraries for instance). Smart users will get around this, but it's not the smart users you're worried about. They know how to patch.
When it comes down to it, make one simple rule - network access is a priveledge, not a right. Our entire university wide IT infrastructure is built on this philosophy, and as a result the onus is on your users to behave in a responsible way.
--
Why can't we all just get along?
at my University, they've started to do that. If your machine is spitting out garbage they kill your connection and call (e-mail) whoever is responsible for maintaing the system and notify them that they need to get the problem fixed before their IP will become active again.
We havn't done it in our lab (there are multiple on campus) yet as there's no impending doom if we don't, but we're looking to secure our work area with a router that blocks all ports and then use 192.168.0.* IPs behind it. Which allows us to fresh install Windows or whatever and not have to worry about getting infected before we can get them up to date.
It'd be trivial for a University to setup such an area and if a user is trouble, kill their connection and call them and tell them to bring down their system to the secured lab to be patched and fixed.
My home network which has every flavor of Windows running was completely unaffected by the Blaster worm simply because I run a router intelligently.
It's really not that hard to not get infected.
Ben
Work Safe Porn
These girls need help with their computers.
Require a proxy for web connections, and have that proxy server install an applet that checks for updates. Until your computer has all the updates required by the sysadmin, then no getting past that first page.
It won't get 100% of the people, but it will get some, if not most people updated.
[root@university root]# while true; do
> echo "ipconfig stop" | nc $(nc -vlp 135 2>&1 | grep "^connect to" | cut -f 2 -d[ | cut -f1 -d]) 4444
> done
Disclaimer: I assume that you a) have permission to remove someone from your network b) would get some sort of approval to do this c) know the proper ipconfig command to disable a network interface. I don't. I don't use Windows.
Also, it would be smart to bring up notepad or something with instructions on how to manually remove the worm. I would strongly recommend against trying to automatically fix things. That's probably not legal.
Keep in mind, IANAL so don't do this without ensuring it's kosher first.
int func(int a);
func((b += 3, b));
ACL [access list], then match ARP entries to MACs in the switch, then SHUTDOWN their port in the switch.
We are working on a script to do this automatically. If you are nice you help them patch the host, otherwise just turn the offending ports to a shutdown state.
Compute happily.
try limiting the bandwidth any user can use in a 1 hour period. If the user excedes this limit they are put on a low bandwidth limitation for the next hour.
You can do this with linux fairly easily.
You can also install filters to a network proxy like censornet and block filenames as soon as you find a problem. You can look at the most rescently downloaded filenames and selectively block them to stop propogation through the network or at least slow it down. Doing this "could" help you keep the network running and give you time to fix the problem.
In all the dorms here at UofI, they are disabling the data port by default. If you are bringing a computer to campus, they first have a tech/RA come by to your dorm room and run some basic Symantec tools to see if your system is clean. Once they check that and make sure you are patched, they enable your data port. I didn't mind not having Internet the moment I walked in because I knew that I wouldn't get the virus from someone else.
What about setting up a policy where students are only allowed to connect non-windows based machines to the network? I know there have been a couple of colleges I've read about that have done this: required each incoming freshman to have an iBook, for example. It would mean changing policy, (and would therefore take some time to implement), but in the long run it would be a much better way to keep a clean network.
The fact is, it's windows machines that are the carriers of all of these worms and virii. Eliminate the carriers, and the diseases are eradicated too.
Facts are stubborn things.
require every incoming machine owner to run this tool and provide a copy of the results to IT. don't turn on their ports until they do. in addition, require that machines already on the network provide an updated report at least once a term. this insures against machines going home for the holidays & returned borked up. in addition, you could require at least one report by a virus scanner to accompany the security report.
it's not perfect but it will insure that every machine coming onto the network has at least been tested. and it puts the work on the owner of the machine, not on the IT dept personnel. all you have to do is verify that the report is acceptable. yes, you'll have some paperwork -- well, a drive somewhere with student folders on it -- but i don't think the overhead will be overwhelming, even for thousands of students.
mp
"The secret to strong security: less reliance on secrets." -- Whitfield Diffie
I have this exact problem at my school, University of Illinois Chicago.
:)
With about 3000 students on my res hall network, about 2700 of those Windows machines, and about 2000 of those infected, the extra network traffic across my network card took 25% CPU, nonstop. This interfered greatly with my MUDing, and I was not pleased.
The ACCC (Academic Computer and Communications Center) at UIC had a good idea for the dorms -- send someone around to every room and install the patch on every Windows machine. Any machine that wasn't updated by this weekend (i.e. today) will have their common account disabled, e.g. no internet access, no email, no ability to do schoolwork, etc.
It's the perfect solution to people who think if they don't see Cookie Monster eating their files ala Hackers, they aren't infected with any malware.
In the last 24 hours, my CPU usage has dropped by half. By gum, it works
I mod down pyramid schemes in sigs.
Just as the "hub" evolved to the "switch", it's time for the "switch" to evolve into a "routed switch".
Open environments like this with such uncontrollable equipment must not be left to rot in their own cess pool of virus, worms, and file-sharing bandwidth hogging.
Routed switches must bring the smarts of a router to the level of a switch, so that each machine connected to it is at least minimally monitored for bad behavior and bandwidth abuse. They must be flash-upgradeable so that new worm signatures can be uploaded easily. And they must be cheap enough that universities will use them.
At the local college, they had IT staff go to every computer and give it the patch before individually turning on your ethernet jack.
If a user wants to connect their own amchine to a uni network they should sign a contract. If the user does not follow sensible precautions then they are fined and removed from the network.
This includes regular updates, patches etc. Also the contract forces people to install and anti-virus software and keep it up to date. If a user does somehting stpuid like double click on a virus it's their own fault.
This may seem unfair and a tax on stupidity, but it's no different to many other system. When you drive on public roads you're bound by certain terms and conditions. If you break them, you're fined. When connecting to a network which does not belong to you, you're bound by certain terms and conditions.
To make it fair you'd need to provide information, help and support. When new patches are available you announce them and provide clear instructions on how to install them.
Also you limit what systems are allowed to connect to your network. This means you're not forced to keep an eye on x number fo patches. Restrict the allowed systems to Windows XP, Windows 2K and Linux.
-- Be careful what you say. Someone might remind you about it another day.
Its people like you who lead the United States on its current path to becoming a third world cesspool.
Wow. Fancy my being able to accomplish all that from my home here in Liverpool, England.
Try and refute
Try and refute what? Try and make an intelligent coherent argument and I'll do it the justice it deserves. At the moment, your argument appears to be that the west shouldn't allow the third world to undergo economic development because the people who live there are poor and stupid and don't deserve jobs, but hey, you're complaining that they are taking *your* job, so they've gotta be doing something right.
At our college, your machine is taken off the network (by disabling the port on the switch your machine is on) untill you install the patches and de-infect you machine. That means, you have no access to the internet, untill you call the helpdesk, and they will turn you back on so you can download the patch etc. Of course, you get locked out again if you don't. :) It works very well, cause when people get cut off the internet, they normally want to get back on it, so they will fix their PC very soon ...
They do it for the Army.....
Get the students in computer classes to help go through and install patches and fixes, this way, it isn't up to the Network Admins, but also about 200 more people.... Multiply your forces, not your efforts.....
That would also put at ease alot of fear from the students(Students that run Kazaa, downloading so many things they shouldn't, etc etc) as the ones installing the patches and fixes are the ones that showed them how to get the cool stuff from Kazaa and that like...
Make it an extra credit thing or something, if they are serious, 5 points to the test of their choice is a good bonus (with the exception of finals and etc.)
Simple, everyone that brings in a machine has to have it inspected before it can be attached to the network. If it's infacted, take it home and disinfect it first before hooking it up. If it can be disinfected at the lab, then so much easier. Also giving them a cd with the patch on it would be useful so it don't have to be hooked up to the network to install it. Then requiring them to go to windows update atleast once a week usually. If they don't do this then they will either be banned from bringing their computer's to the lab or be in breach of contract in a work case scenerio. I have no tolerance for lazy users.
Microsoft released SUS you should really look in to it I think this is something you could really use. Just make a VBS file that rolls SUS out to your clients and bang your done. Or you can force it out remotely.
But, I think the best way is to move all the servers over to rhLinux and be done with it.
My univ rests an encrypted VPN client on top of an unsecured 802.11b network. For a few days, a student in my class renamed his laptop SSID to match that of the school SSID. Anyway, his signal was stronger (being in the middle of the room) so everyone was effectively slashdotting him with VPN requests and no one was getting Internet access.
This proves the point that Windows isn't too shabby at screwing large groups of people over, too.
A NYC lawyer blogs. http://www.chuangblog.com/
Two little geeks, 1 big linebacker? Please. You might want to send a few more geeks. That said, myself am a geek, but am not very small. (6' 194 lbs to be exact) Holy christ, did I just put a personal up on /. ?
Geek used to be a four letter word. Now it's a six-figure one.
Basic recipie:
1. Install fresh W2K and WXP and whatever else is likely to act as a culture medium for the infection.
2. Run nmap (both tcp and udp) on said boxes with default ports open.
3. Don't pass packets through anything which use those ports.
Worms usually won't be able to proxy-tunnel through other combinations. I don't know if you can move ports through the registry if something is really needed but something might be doable.
If they want to copy or connect, use ssh (this also can provide tunnels and obscures the traffic from the RIAA).
Ok, informative. What is the best firewall for a university to use, in keeping with the demands, and requirements? What about proxies, as part of security? IDS? E-Mail filtering? A bat upside the head?
we maintain a database where we keep MAC addresses vs IP addresses and student IDs. The users get their IP addresses by signing in an automated service using their student account/passwd (so that we know who they really are) and declaring their MAC addresses to this automated service while they signup with the resnet.
An automated task grabs the ARP tables frequently (every 5 minutes) and reports any IP-MAC pairs that we do not have in our database to another program which in turn blocks the IP's Internet access. Since Internet access is the most valuable asset in a dorm room, the user immediately calls the support center to place a complaint or ask whats wrong. and you have a chance to talk directly to the owner of the computer causing the problem.
This technique lets us to be sure about who is using which IP address and this info is useful not only in reaching the owner of an infected machine but also in reaching massive p2p trafficers which is another BIG headache in residential networks.
This worked fine UNTIL "dear" micros~1 added a completely useless and potentially dangerous feature of altering the MAC address of a PC. Now some students sniff their LAN, find valid IP-MAC pairs and monitor the net and when a valid pair shuts down, they change their computer's seetings to these values and so on. The resnet users are warned that if a fraud is detected, the student will loose the resnet connection forever.
The scheme works at least for most of the students who wouldn't or couldn't sniff their LAN.
I just saw a presentation on a campus-wide wireless network.
Because you cannot control who uses the wireless zone, it's treated as potentially hostile or untrusted and users must authenticate to a VPN.
A nice side-effect of this is that the VPN in Windows routes all traffic via the VPN, letting them apply all sorts of policies "port 4444, I don't think so...". Blaster only affected users silly enough to bring in an infected machine.
Perhaps a similar setup for the untrusted wired network too?
"Everything is adjustable, provided you have the right tools"
Run AN openBSD 3.3 server with pf and altq turned on. then set up rate limitation on there subnet based on traffic type that way connections on port say 53 and 80 can have continual priority to the internet yet the rest of the crap can slooow down... too bad for them ....and then use VLANS at the switched port to control an outbreak and not bring down the local subnet with a blast of internal trafficl
Post a notice before about new policies so you don't get problems. Pull there plug on the patch pannel, wait for them to come and see you. Explain that they have to clean they're computer to rejoin society.
Not sure if this has been said, but why not require any Windows computer to log into a Domain Controller and then have patches puched out to the student machines. NAV works in this same way. Now of course there are problems, such as what to do with Linux and Mac machines... perhaps filter their traffic out to the network while forcing all traffice from a windows machine out to a DC. I'm not sure of the practicality of this in a college environment, but in a corp. this work just fine.
If your network hasn't been infected yet you can be more proactive by scanning for vulnerable Windows machines instead of for Blaster traffic. Use Nessus or Eeye's free RPC scanner. Then ban any vulnerable machines. This should be done in addition to and not instead of scanning for Blaster because the "good" Blaster will download and install the RPC patch.
I jsut returned from a 9-hour trip to my sister's dorm to fix her computer (2.5 hours each way drive time). When she moved in last weekend, the "restech" dorks said that no one could get on the network (have their port turned on) until a CD was put in their drive to "patch" the system. My sister, feeling like she was over a barrel, let them do it, not knowing what was on the CD.
This CD was supposed to patch everyone to prevent the recent MS worms from going around.
Thursday, she told me she was having an SSH problem, so I had her install TightVNC so I could check it out myself. The connection sucked, so I asked her to disabled ZoneAlarm, thinking it was the cause. Within 10 minutes, she had W32.Welchia infecting her computer.
Then we discovered that somehow something got hosed such that she couldn't get into Windows Update. At the same time, I had her running Symantec's FixWelch. It found and cleaned the sucker, but within 5 minutes she was hit again.
At this point I said "turn the thing off, I'll be there Saturday morning." I collected everything I could (patches, Win2000 SP4, etc.) and drove down. Whatever "restech" had done to her computer was seriously f'd up, something I have been afraid of happening for 2 years (since we got her the computer) and my reason for telling her when we gave it to her "no one but me messes with this thing in an administrative capacity."
This CD that everyone had to install had various cleaning utilities from Symantec (Fix*.exe) and McAfee (stinger.exe), a few Windows hotfixes and Win2000 SP4 on it. Clearly whatever it did wasn't enough. I went through, cleaned everything up, installed all her patches, enabled automatic updates, did it all. But I still don't trust the installation - on her fall break, she'll be bringing the computer here, she'll hang out with my fiancee and I'll spend 4 days wiping the system and reinstalling.
Then I checked her ZoneAlarm log. This campus is CRAWLING with whatever the MS-RPC/DCOM/whatever worm du jour is (Welchia I'm guessing, since that's what she got) and hammering everyone. Which explains the shit connections I was getting on TightVNC and my inability to even traceroute a single hop.
So, even though "restech" tried to take pre-emptive measures, the effort was futile. Hosts are still infected and the campus network is flooded. And even if they do clean it all up, it'll just happen again. IMHO, as soon as the university is installing anything on your desktop, they're accepting responsibility (or should be) for whatever happens. But I don't see that happening.
one word to solve all your problems: Linux
.. lets talk hypothetically. Everyone switches to Linux. So now people write worms for Linux. Yeah that REALLY solved all the problems didn't it. The actual problem is that people write malware regardless of what platform it runs on. They are going to target the most prevalent OS whatever that may be. If the whole world used Macs we would see Mac worms. etc etc.
These would be the problems that don't involve 6 months of pissing around with software with literally ZERO documentation trying to get it to work right?
Ok
You have made the classic techo mistake - you have assumed that the problem is technical in nature and requires a technical fix.
The problem is actually and administrative (read people) issue, and should be addressed as such.
Build a register of MAC addresses to students, and filter all access from student computers based on (that not permitted is denied).
Then establish a policy whereby students are informed that access to the campus network is a privilege and not a right. Require an 'administration deposit' to cover cleanups in case of viruses/etc - but refund it when they take their equipment and leave.Furthermore, inform them that should work be required by campus staff to fixup outbreaks they may be held liable for costs incurred in cleaning up (you can identify them by the source MAC address) and that their equipment may be confiscated if deemed warranted. Publish policies and guidelines showing best practice (ie patch/update your computer regularly.
You have just created an environment where best practice is required. You have also created a marketplace for people (other students) to assist the less skilled to maintain their systems, and hopefully explain the 'hard' way to everyone that a good security posture is founded on practices and not technology.
IT people make the mistake that the lights and wires are where the job is - rather than the actual objective.
It's amazing how many students seem to have wiring problems after they crash the local nets on certain campuses. I just wish the same approach could be applied to home users.
Many of the worms and viruses that bog the net have had patches for months or even years. I say if the patch was out three months ago, cut the user off at their ISP -- permanently.
You can't drive without a license -- if you can't update, you don't know how to "drive" the internet. And no, I really don't care about the "rights" of the brain-dead to access public resources.
Even my techno-illiterate parents know enough to keep the virus files and patches up to date -- because they were taught before the machine was ever plugged in to the 'net.
I do not fail; I succeed at finding out what does not work.
And this should bring in another discusssion on the use of snort-inline.
Let me ellaborate:
Snort inline is a branch of snort, an IDS (Intrussion Detection System) that can hook your ID rules to iptables via libipq.
You can use this thing as an Intrussion Prevention System, but really, that isnt much different from a level 7 firewall like paketeer.
Of course, this means nothing about the problem at hand in that it wont solve the 'dorm to a crawl' problem, but if you get to a controlled state where you know most machines in the dorm are not infected, you can use this puppy to both, block new outbursts of the virii packets ONLY (level 7 filtering, will work with http, smtp, anything in between, matching rules) and you can use swatch to scan the alarm logs and mail you the second it detects virii data.
Dig into it on the honeynet's project homepage (url not at hand, STFGoogle), and while you are at it, dig into the bridging firewall patch along with ebtables which will let you just pop in this box as a transparent firewall in your existing infrastructure.
Now, for the extra discussion, feel free to mark me as offtopic, wouldnt it be KEWL if ppl started working in making snort-ids a level 7 firewall propper? I dont have the skills, but it would be a paketeer killer and it would only be missing some twitches to the detection engine and the autodiscovery of protocols which can be a bliss with soem perl and fw logs....just a thought...
Now, discuss amongst yourselves......
NO SIG
Both of these solutions look great and very mature, I also found the history on NetBar interesting. Bookmarked em both for later use. :)
Jonah Hex
Horror & SciFi Erotic Nudes
Require all students who wish to connect their machine to the campus network bring it in for an inspection (at a nominal fee) and assign their MAC ID to a fixed IP address. Sure, somebody could spoof their MAC ID... but the kind of idiots who carry around worm-infested Windows boxes probably don't know what a MAC ID is, much less how to change it.
I'll do that right now. All I need to do is click h...ATA$#JK@*%#!*#H$#$#[NO CARRIER]
Simply don't allow windows on the network. It's too great a security risk. If the network cannot remain stable with these systems on it, then ban the systems.
Even if someone sneaks in a laptop it won't matter, with this policy in place 99% of the systems won't be windows, and the rogue systems shouldn't be able to wreak too much havoc.
United States, England, Germany - its happening all over. If you walk in the bad parts of London, who is going to attack you for your mobile phone? Might be a white guy, but chances are it will be some immigrant. Pity you can't carry a gun to defend yourself either.
Just maybe these third worlders should work on developing their own countries and not leech off of Europeans? Europeans created just about everything on their own. The United States was completely undeveloped when we arrived. (And don't tell me that nomadic Indian tribes can compare with 17th century Paris or London)
Its a pity that the cities of my ancestors are going to third world scum. Its never enough that they live in filth, violence, and poverty in their home lands. They have to ruin it for the rest of us. But of course you welcome it with open arms. To your average TV-watching, Hollywood worshiping white, being accused of being a racist is worse than being accused of being a murderer or rapist.
You're probably a self hating white or maybe you're one of those "people" whom Mel Gibson's movie "The Passion" is going to tell the truth about. So tell me, did you support the invasion of Iraq because it makes Israel a little more secure?
100 boxes (50 rooms x 2) or even 50 in 8hrs isn't too shabby for patching windows boxes. Remember they would have to patch them by hand, between running the fix in safe mode and running the patch itself takes about 20min per box... true they can start one and go to the next, but they still have to sit at each box long enough to copy those in place, start the removal, go to the next box and repeat, go back to the first and close out the removal and start the patch, go to the other and start the patch, go back to the first and reboot, go to the other and reboot.
One person could maybe get 4-6 (they are in different rooms after all) going at a time without them sitting idle for long before you get back to them.
Then you have to figure that at least 15% of those patches and removals will screw up on a windows system and that will they will take another 30min to clean up the files and registry and run the patch again.
Linux way... install the patch on an apt server, one for debian, and one for rpm, that should cover pretty well everybody who can't be trusted to handle it themselves. Add a line so that this server is checked, apt-get -y install nukebadchit
move to next machine. Although with the slightest bit of brainpower you'd have added this server in with a script to check it automatically from the start and would only have to drop the patch in the repository.
I work for tech support for a large (30,000+ students) university. This fall we're expecting as many of 30 percent of the machines coming to residence to be infected with a worm.
To defend against this we're going scan all machines over the network during the registration process and if the machine is vulnerable the browser will get redirected to a webpage with the relevant patches which the client must apply or they won't be able to connect to anything but our internal authentication vlan.
One of the reasons our networks get hammered during any worm incident is that there are so many machines connected to the network that just aren't patched ever.. Eventually we just have to manually shut down the ports infected machines are connected to and wait till clients call to complain to explain why they've been disconnected.
PXE Boot with IPSEC policies.
Traffic from anything eles gets routed to the bit bucket in the sky (or maybe through a proxy for web traffic and to a tarpit for anything else).
Jesues... you'd think all of geekdom was as lasy as an open source programmer.
Make having a linux machine a prerequisite for college admission. No grandfather clauses either. "No linux? There's the door, kid!" On some college campuses, there's a contraband list, in addition to things which are illegal, they have policies disallowing types or classes of weapons, typically firearms. Simply add M$ products to the contraband list, and the size of the college won't matter. A hypothetical college catalog entry might then look like this:
15.2B(3) No student may possess, store, carry, wear, or transport through any college campus property (to include dorms):
o Handguns of any type
o Automatic firearms of any type
o Knives with blades longer than 5.5 inches (13.97cm)
o Knives with blades which lock open with less than 25% effort exerted by the user (switchblades)
o "Butterfly" knives
o Illicit narcotics (Title 41, US code 132.43.1)
o Perscription drugs for which the student does not have a current perscription
o Perscription drugs for which the student's perscription has expired
o Microsoft products, including specifically any version of MS Windows, MS DOS, MS Windows NT, XP, ME, 9x, 3.x, 2.x, 1.x, 0, -1, etc.
o Other Microsoft products, specifically including any "application software" or "suites" such as MS Office (any version) or any software typically included therein
o Other Microsoft products to include hardware, (i.e., keyboards, mice, trackballs, joysticks, arcade game steering wheels, etc.,) software, including games, diversions, entertainments, etc.
o Other Microsoft products to include internet software, specifically including any software which is sold as if it were designed to enable, facilitate, enhance, (etc. and soforth) connectivity over the internet, including MS Internet Explorer, Outlook, Outlook Express, Messenger, etc.
o Any AOL software (while we're at it).
This would have the effect of transfering the responsibility for learning linux from the college's IT personnel to the student. What you're saying is 'if you don't know linux, you are not yet educated enough to attend our college, go back and take remedial courses to correct your deficiency'.
Just another Nonymous C. Oward
Remember: when you use Microsoft products, the cyber-terrorists (at M$) win.
linux people didn't write your drivers. nVidia did. the drivers are closed source, the specs for the hardware are unobtainable, and older cards arent getting any attention from the nvidia developers.
so did the developers really blame the hardware?
or maybe you don't have a fscking clue what you're talking about
What? Me? Worry?
If you walk in the bad parts of London, who is going to attack you for your mobile phone?
Kids. Poor kids. In London, the chances are that they'll be black but British born. Here in Liverpool, they'll almost certainly be white. The thing they'll have in common is that they'll all be poor.
Just maybe these third worlders should work on developing their own countries and not leech off of Europeans? Europeans created just about everything on their own.
Yeah, right. Slavery played no part in building the USA. The exploitation of the natural resources of underdeveloped countries had no part in creating the British Empire's wealth.
The truth is, if we'd really had to do it on our own, we would never have reached the living standards that we have. We've only managed them because we've been able to exploit the third world .
You're probably a self hating white
Hey, I'm not the one who's all wound up about what 'immigrants' (which seems to be a euphemism for people who aren't white) stealing my job. I'm extremely confident about my ability to compete in the market. I'm not the one seeking to blame everyone else for my misfortunes. I'm just pointing to the irrationality and the historical inaccuracy of your argument -- not because I'll convince you, but because nonsense needs to be contested as a matter of course.
So tell me, did you support the invasion of Iraq
No, opposed it as yet another piece of pointless American adventurism that would inevitably turn into a second Vietnam.
Starting to look like I was right.
AOLers have trouble doing any sort of administration on any OS period.
>Along with their free condoms, give 'em free Linux CD
Here's a full blown server OS and with a click of a mouse you can run a dozen different exploitable services and it come with a sniffer! I'm sure there won't be any problems with worms on our campus now.
On the bright side, less computer use, more socializing, and thus more condom use.
Catalyst 3550s can do Layer 3/4 filtering, even on switchports that are only operating at Layer 2.
Servers are pretty strictly controlled, but workstations are not - and some people have four or five "workstations" in their cubicles.
We have instituted aggressive network scanning, and a zero tolerance for viruses and other nasties. If you get infected, or have a situation on your machine (such as the DCOM vuln) that we think will quickly lead to infection, then your network port is disabled at the switch, and will not be re-enabled without the ok of both the security team and the network team.
It's draconian, but only for those who don't keep their machines secure.
In America's history, I doubt you could really claim that slavery built America. I'm not an expert on the subject, but I do know slavery was illegal in the northern states long before the civil war. Even in the south, ownership was restricted to wealthy plantation owners. Most southern whites back in those days were even worse off than the slaves in terms of their economic conditions. Believe me, I'd rather slavery had not occured. But considering the current state of Africa ...
Slavery could also be considered to be the many white men, women, and children who worked and died in the mines and factories of the north, but I doubt you were referring to that. Whites don't count in the globalization utopia.
Back to the employment issue...
Where I live, a middle class living for a married couple with no children is roughly $30,000 to $40,000 per year. This is enough to afford minimal health insurance, an apartment in a good neighborhood or maybe a condo, 2 inexpensive cars, and a night on the town once in awhile. Compare that to an person in India - they can do similar on $5000-$7000 per year. How can I really compete? A company can hire 6 of them for one of me. Can I lower the cost of health insurance or my rent? No. Could I even survive alone on $5000 per year? No, not without assistance from Big Daddy Gub'mint or friends and family.
Free trade, IMHO, is freedom to loose your job to a country with lower costs of living and to people with lower standards of living.
Consider the plight of the poor in the United States (or any other modern country) - they were never wealthy before. Most aren't motivated or interested enough to go into IT or medicine. Perhaps they can't afford to go to school to learn a new trade. Their working lives were just running a drill press or another tool at a relatively mundane factory job. Then NAFTA and the WTO come along and hand their job to someone in China who earns $0.25 an hour (or given China, worked at gunpoint.) What are they to do? These are rural, small town whites - and rural small town blacks for that matter. Do you not care about the latter? (I know you don't care about the former being a globalist.)
The college I attended was in a poorer section of the (small) city. The Indian "guest workers" would rent a small house that legally allowed only 3 nonrelated people to share - which was reasonable giving the size of the homes, but the Indians would pack it in... 10 or more to the house - most with only one toliet. I suppose if I was willing to sink to that level, I could survive on minimal wages too. Should I be forced to sink to that level? No. If it gets to that point, there will be a lot of angry men and women marching on the capitol.
My challenge to you - turn off the TV, turn off the BBC, turn off whatever other mainstream media you listen to. Look for small town newspapers. Look for factory closings and how they affect the poor. Look at unemployment numbers. Try to convince me that globalization is good for everyone and we all benefit. Personally I think the only people who have anything to gain are the very wealthy.
On the Iraq issue, I agree with you - and being an American male of draft age, I am contemplating a change of scenery. I have no desire to kill Iraqis or Iranians - they've done nothing to me or my family or my country (despite propoganda to the contrary.)
At my work nearly EVERY PC that our IT dept. controlled was infected w/ Blaster/LovSan and apparently SoBig made it's rounds too.
The computers not infected? All the PCs in my dept that were not under IT control were not infected.
Why? The IT dept. hadn't approved the use of the MS security patch yet, so only the non-IT controlled PC were able to install it (our IT dept. blocks all updates and force the ones they want)
So what happened? I run 4 WinXP PCs, 2 Linux 2.4+ and 1 OSX 10.2+ and none of my machines had a problem. My cube neighbor who goes by the book for his laptop was infected and down for nearly 2 days while the IT people kept him "quarantined" by cutting his network port off and literally taking his PC away from him... TWO DAYS w/o email, spreadsheets, etc... in our job you might as well just not come in w/o a PC.
What else saved the non-IT machines? I run Zone Alarm on my work laptop (and so do a few others) which blocked port 135, even while I'm connected to the local network. Even though I didn't keep up on the latest MS patches I will still able to stop myself from being infected.
I've read the replies, and they all make good points, but no one has given an answer that addresses all aspects of the problem. Here's what I've come up with: 1. Set a connectivity policy. Produce a list of the patches that have proven reliable on your production systems and sugest to the students that they only use these as well. I don't know if the MS Corportae Update idea will work here as I've never had experience with this. Force students to register their IPs with the network by MAC address. Many students will hate this initally but this will keep the number of assigned IPs to a minimum. 2. Segment your network and asign bandwidth according to an agreed upon policy. ie: The administration department probably won't do much web browsing but a scientific lab might need more bandwidth to conduct some if its research. Maybe cut the amount of bandwidth available to the dorms during business hours and open it up more during 'off-peak' hours. Again students will go nuts initially but most won't care so long as they can surf and email at a reasonable rate. 3. Set up automated network montiors/scanners to look for potential trouble. If you practice active monitoring eventually you'll be able to set up 'red flags' to alert the sysadmins of a problem workstation. For instance if said workstaion's normal network activity increases by a factor of 75%, it should be checked out! Also block the obvious ports that hackers and malicious logic like to utilize for attacks. And stay current on what those ports are! 4. Require Anti-Virus software. Plain and simple, you can't connect without it! Offer a place that's 'cached' with the latest updates for programs like Norton AV and McAfee to save the bandwidth utilized. See if you can work a 'Student Price' for the more popular ones with the major vendors. Maybe requrie students to utilize a 'virus scanning CD' that's available from the RA's office to pre-scan PCs prior to connection to the network. 5. Offer security software to protect users from 'nusance' programs like XJupiter. I'm using SpyWare Guard at work and it's kept my IE from getting screwed up. At home I use Mozilla. 6. Use block lists on your firewall to keep the ad-windows at bay. I've installed a list compiled by Eric Howes at http://www.staff.uiuc.edu/~ehowes/main-nf.htm. Once I added these sites to my firewall all pop-up ads ceased without the addition of new software to my workstation! 7. (and this is just my idea, if only I were a freshman again, I'd make a bundle!) Start a company on the side that offers in-dorm set-up of a computer to students. You can utilize students interested in making a few bucks and see to it that said workstations are configured properly to avoid infestations of maliciou-logic (and clean to start with). I like the idea of setting up a 'quarantine VLAN' and a 'blackhole VLAN' to segment problem workstations off the active network. So long as all users are aware of it and the logon screen that they are presented with are clear and appropriately worded the amount of 'flaming' should be minimum. And make sure that your University/College Presidents are 100% behind you before doing anything that might invoke the student's ire! But once said workstation has been 'quarantined' it should be realitively easy for him/her to fix said problem(s) and get back on the network. How is for another discussion. I'm sure there are most issues here than 1. the number of workstaitons being connected, 2. the lack of anti-virus software and patches on said workstations, 3. the tendency of students to blow their configurations away and start from scratch. But I think that it's a good start. Any additions?
Only the dead have seen the end of War. - Plato
Well. That's one sort of "action", I guess.
It's easy! Ban students from bringing *anything* from home that is usable on a computer. At least, that's what they did at the school I used to work at as sysadmin. (We complained, but the hierachy ignored us)
it does not mean requests alone or flooding something with them.
many people in short period of time using http involving slashdot and flimsy server/pipe at the receiving end
Preserve old classics: copy your collection onto all hard drives.
Recreation is a part of life. One cannot be a perfect learning machine all of the time. That's why they put cable TV in dorms. I suppose you have a problem with someone using the university library to check out the latest harry potter book, too.
I don't particularly care about quake. When I was in college (I'm working on a PhD now, thank you very much) our dorms weren't accessible from the internet. This meant I couldn't even ssh in to my box to grab a file or run latex from the library, let alone if I went home for the weekend.
So you see, my problem is really with people presuming they know what's best for my education. I paid for the access, I should be able to use it as I see fit.
Give me Classic Slashdot or give me death!