Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling User Grown Machines on a Large Network?

Posted by Cliff on from the where-infections-run-rampant dept.

matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"

33 of 611 comments (clear)

  1. responsibility by NetMagi · · Score: 4, Interesting

    You can only separate networks so much.

    If you make them bear some financial responsibility for not checking their machines first this might help.

    1. Re:responsibility by gykh · · Score: 5, Insightful
      If you make them bear some financial responsibility for not checking their machines first this might help.
      Are you sure about that? What are you going to fine for? Not having a secure enough computer? Everyone (i.e. /.) knows security holes appear every week, major ones every 4 months or so. Do you fine someone who just reinstalled windows and was just logging on to download patches and got hit? For getting a virus? How about we tax stupidity next?

      Students go to university to learn and give back some knowledge, not to constantly maintain their tools.
    2. Re:responsibility by Durandal64 · · Score: 4, Funny
      How about we tax stupidity next?
      We do. It's called the lottery.
  2. Simple... by woodchip · · Score: 5, Funny

    just ban users from your network.

    1. Re:Simple... by carpe_noctem · · Score: 4, Interesting

      I know the parent was meant to be funny, but believe it or not, that's what my school did. They unregistered all cards from their DHCP database and are requiring everyone to re-register on condition of passing a brief virus scan to get back on the network. Our network is set up to disallow external routing for any not-registered machines.

      I guess that's what they get for forcing everyone to migrate to XP last year...

      --
      "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
    2. Re:Simple... by mistermund · · Score: 4, Insightful

      At Carnegie Mellon, unregistered boxes are automatically routed to a web page that allows them to do temporary or permanent registration based based on MAC address. Once you register, your machine can access the network and DHCP. This allows for easy monitoring, notification, and disconnection of zombies.

      It's called AuthBridge and runs on a Linux machine with ethernet bridging and real time packet filtering based on the MAC address. See the link for technical descriptions, diagrams, and further details.

      Seems to work quite seamlessly as an end user, IMHO.

  3. Domain logons by kevin_conaway · · Score: 4, Informative

    At my university, at least for the public machines, when you logon to the domain, a script executes that automatically patches your machine and runs fixblast and fixwelch. you might want to investigate into something like that

    1. Re:Domain logons by Spy+Hunter · · Score: 4, Interesting

      I think that this is the perfect environment for an anti-worm. If the spread of such a worm was limited to the college's netblock, it could be easily controlled (luckily computer viruses don't spontaneously mutate) and it could be set to download all needed patches from a campus server, and destroy itself on command from the same server. Something like this could also be worthwhile on corporate networks. Why haven't antivirus companies caught on to this? They could sell customized anti-worms to small-to-medium size network owners. The problems of releasing an anti-worm on the Internet at large don't apply to smaller networks. You can get the permission of all the network admins before releasing the worm, and a central server can be used to control the infection, keeping track of which computers are patched and shutting down the worm when it has done its job.

      --
      main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  4. Ban 'em by larien · · Score: 5, Insightful

    If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.

    1. Re:Ban 'em by jaxdahl · · Score: 4, Interesting

      here at Oklahoma State University, the IT department gave all the RAs in all the dorms and apartments a fix-it CD, all users must run the software on the CD regardless of whether they don't think they have msblast/sobig, etc.

  5. Possible solution by Phleg · · Score: 4, Informative

    Do some intrusion detection on the network--possibly through Snort. If any machine is spamming out MSBlast messages or Sobig emails, drop their connection via MAC address and refuse to give them another DHCP lease. Then, when the person comes in to complain, let them know their computer was infected and flooding the network, and give them a floppy with the proper security patch on it.

    It might be a bit annoying to automate the process (except for handing out floppies) at first, but it seems like it could significantly help, while at the same time educating users to update their patches.

    --
    No comment.
    1. Re:Possible solution by themassiah · · Score: 5, Insightful

      I was with you until this part: "drop their connection via MAC address and refuse to give them another DHCP lease". Here's a better idea. CALL THEM! If they're running Windows, send them a Messenger Service Message before you cut their connection, telling them to call IT or something. Don't just shut them off, it's bad for your department's image and it's a bad policy when dealing with people.

      --
      - Sometimes you're the pidgeon, sometimes you're the statue.
  6. You could just... by gsperling · · Score: 5, Funny

    ...tell students at registration that Windows machines are not allowed on the network, and that they must install Linux. This will not only clean up your network problems, but it will also give the students a sense of doing the right thing for their computers. Along with their free condoms, give 'em free Linux CDs.

    1. Re:You could just... by Jon+Abbott · · Score: 5, Interesting

      Case in point -- back in 2000, even though I had about four years Linux experience by then, I managed to bring down Internet access for an entire dorm (about 900 students) for a week.

      It all started when I helped a friend install Linux on his new computer. Unfortunately, in addition to installing a DHCP client on his machine, I had accidentally flagged the DHCP server to install as well. What happened was that the DHCP server software on his new Linux box was challenging the Windows DHCP server that the dorm was using, and his machine won -- even though his DHCP server wasn't properly configured to hand out IP addresses to other clients. So, all of these other 900 students would turn on their computers, which would send out a DHCP request, and they would get a response from his computer instead of the real DHCP server, thus causing their computers to give up trying to connect to the network. Ironically enough, his computer connected to the internet fine, as it was the only one connecting to the real DHCP server (I guess that explains his super-fast connection during that week).

      Anyway, we had no idea that any of this was happening until we headed back to his dorm room one day, and found three network services guys looking in bewilderment at the computer (they had never used anything but Windows, so they had no idea how to fix it). They claimed that it took them a week to isolate the problem to his machine. They explained what was happening, and it then hit me that the DHCP server was also running on his machine, so I logged in, apt-get removed it, and the problem was immediately fixed. Not in their eyes though, as they made us talk to the head guy at network services... He gave us fair warning that if we did that again, our access to the network would be revoked (and rightly so!).

      The obvious moral of the story is, whereas most OSes give you just enough rope to tie a knot, Linux gives you enough rope to hang about 900 people. :^)

      --
      Slashdot's first reaction to VMware
  7. one way. by grub · · Score: 5, Informative


    Ensure that home machines (ones that you haven't configured) get IPs in a VLAN group which you've bandwidth throttled on the routers/switches along the say so the rest of the VLANs don't get choked by home-grown disasters.

    Machines you have control over can get IPs in another VLAN which isn't throttled, or at least not as much as your "uncontrollable" VLAN. At the router where the VLANs can meet have strong ACLs and traffic flow control.

    Just because you give them access with their own machines doesn't mean you have to give them unrestrained access.

    --
    Trolling is a art,
  8. managed switches by Feyr · · Score: 5, Informative

    assuming your network is switched, and your switch are "manageables" (ie you can log in them remotely)

    you could have an IDS (or similar) with a rule looking for specific attacks (ie blaster). when you detect such an attack, fire off a script that shuts down the user's port on the switch. they'll bitch and moan that they can't access the net but you'll know who they are now and charge them a cleanup fee (make sure to include it in the terms of use)

    another solution is to require anyone bringing a computer from home to have it inspected by your techs, block access based on mac address and only give them access once they passed the test. it does require more ressources tho, and ideally you'd still need the first option (in case where someone reinstall windows)

  9. Deny them DNS services by eaglesnax · · Score: 5, Interesting

    I think this was one of the approaches Stanford was going to take. No DNS for your machine until you get it checked out by their IT department.

    Chris

  10. Re:forcefully by bob670 · · Score: 5, Insightful
    Then who supports them when the latest Windows update hoses thier machine? It happens less than it used to, but I have one client who lets auto updates run, and one patch in paticular (810577) has brought network browsing to a crawl. We have done literally hundreds of test and narrowed it down to this patch, but neith the knowledge base, user community nor a direct (and expensive call) to MS support can fix his issue. Now he has users screaming about slow network browses to files and folders, time outs hitting their home-brewed data base and his phone never stops ringing. Now mulitply that by the body of a college campus?

    You'll need something more reliable than Windows if your plan is to mandate that sort of thing.

  11. I'm actually wanting to know the same thing, but.. by aetherspoon · · Score: 4, Interesting

    ... from another point of view.

    I'm a student at a university whose dorm network got nailed by blaster something fierce. Almost as bad as it was Klezed a couple years before. Anyways, because of all of this, the sys admins decided to completely eliminate the dorm network from the upper campus one - also cutting off 'net access - during school hours. This is a real big pain in the butt, and I'm actually hoping there are some great answers in this topic so I can give them to my sys admin.

    Of course, compounding the situation are seemingly (dunno if they actually are or not considering I've never even SEEN one before) incompetant dorm techs taking an entire day to clear out just one dorm building of ~50 rooms (2 people per room, but often less than 2 PCs per room...). Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

    I'm just annoyed because my room (along with my entire hall since I'm the resident 'hey, call him!' computer geek and have patched everyone) is completely free of blaster and its ilk, yet I have to deal with the people who either don't know to patch Windows often, or don't care.

    How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?

    --
    --- Ãther SPOON!
  12. YES, THAT'S A GOOD IDEA by YOU+ARE+SO+FIRED! · · Score: 5, Funny

    "Along with their free condoms, give 'em free Linux CDs."

    "Here. You'll never use this first item if you choose to use the second item. Have fun, and welcome to college."

    You are sooooo fired.

  13. DHCP tricks by TheSHAD0W · · Score: 5, Funny

    You ought to be able to tweak your DHCP so you can block machines that are broadcasting this badly by telling them their default gateway is localhost.

  14. start with the freshman handbook by b17bmbr · · Score: 5, Funny
    Chapter 2 Personal Computers
    No personal computers will be allowed unless they are running Linux, FreeBSD, OS X, or another variety of *nix. If you are bringing a PC, please see the installtion CD in the back of the Freshman orientation handbook. For installation instructions, find the guy in your dorm with long hair, glasses, birkenstocks, and a penguin on his shirt. For payment, beer will usually do. Or, if you are under 21, and can't find someone to buy for you, perhaps a bag of Starbucks will suffice. However, if you are a female, just acknowleging him at least once during the semester, when you are with your friends will be plenty.
    --
    My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
  15. Post lists by Maxwell'sSilverLART · · Score: 5, Funny

    Assuming you can identify the port from which the infected traffic is coming, post a list of all infected rooms on the front door of the dorms, with an explanation that "these computers are causing your network to suck."

    The problem will be fixed.

    --
    Moderate drunk! It's more fun that way!
  16. Great idea, but... by aetherspoon · · Score: 4, Interesting

    ... when you go to a university where you do not log on to a domain in dorms.
    I've found that to be very common (including the Uni that I'm typing this at) since it is MUCH easier to set freshman up on movein day.
    Also, certain things do not work when you start logging onto domains. Example: XP's fast user switching. You'd have students complaining about the administration restricting their rights to their own computer, blah blah blah... then on top of it, automatically patching something. Legal nightmare. Works great for lab PCs, horrid for dorm PCs.

    --
    --- Ãther SPOON!
  17. What is happening at my university... by acehole · · Score: 4, Informative

    When the blaster worm hit, we had to work for a few days to clear the thing from the staff network.

    Now that we well and truly cleared it after much scanning to make sure, we've moved on to the on-campus student's network.

    We have to physically go to each room, patch and scan to remove both blaster and welchier.

    It's both an annoyance for us and the students who pretty much treat us like unwanted guests on their pcs.

    --
    Be you Admins? nay, we are but lusers!
  18. Re:forcefully by Samari711 · · Score: 4, Insightful

    what about the seniors who are still running 98. then you also end up slowing down student machines and you get a bunch of unhappy students. micromanaging a few thousand computers who's specs are all over the board will cause more headaches than it solves

    --

    I never said I was smart, I just said I was smarter than you

  19. Inspection by DaHat · · Score: 4, Interesting

    For years, the last thing the admins at my university wanted to do was inspect each computer before it was permitted to be on the network. This year they have broken down and are doing so, to be connected (wired or wirelessly) one of their employees must inspect the computer and make sure that they are not only completely patched, but also that they are running antiviral software (Norton ONLY).

    This is of course great in theory, until a week later when someone formats, 'forgets' to patch, brings their computer home, gets re-infected and comes back to school.

    Until patches become mandatory for many of these users, there is no way to prevent such a thing... short of finding the virus writers and skinning them alive during prime time, that might make some of these script kiddies think twice before doing what they do.

    --
    Help Brendan pay off his student loans
  20. Here is what we do by Anonymous Coward · · Score: 5, Interesting

    In our residence halls, we have about 7500 people. What we have done is make a series of VLANs, centrally administered by VMPS. We have the regular VLAN for a building's users, a quarantine VLAN, and a blackhole VLAN. As we detect users that are infected, we move them to the quarantine VLAN where we have colocated a quarantine webserver via an 802.1q trunk. This server provides them with all the patches, av software and latest DATs. Once installed, the resident "signs" with their campus ID to verify that they have installed the various fixes, and they are moved back. If someone languishes in the quarantine VLAN for too long, we move them to the blackhole VLAN (which is essentially a defined VLAN that isn't trunked anywhere so VMPS can still legally place them there).

    This segmentation has helped dramatically. At one point, we were blocking nearly 800,000 icmp echo requests outbound/sec across all interfaces. Now? around 1k/sec. And that's over the last week.

    Now if I could just get past the residents who:
    1. Don't fix themselves because it was too much to read.
    2. Don't know how to use a web browser
    3. Don't know what a scroll bar is (!!!)
    4. Don't contact us for help, but instead go to the President and Provost's offices.

    Hang in there, segmentation helps dramatically.

  21. Public humiliation by Aceticon · · Score: 4, Interesting
    Forget about financial responsability. There is a simple, 2 part solution:
    1. Make available and easily accessible in your intranet the resources to keep their systems up-to-date and virus free - patches, Anti-virus, personal firewalls
    2. Publish in the most visibile place in the dorm buildings weekly compilations with the names of the "Most inept computer users in this dorm". Maybe you can spice it up with an introductory text that gives the impression that when you're saying "most inept" you actually mean "dumb as a door-knob"


    Naturally, if you're the BOFH type of network admin you can skip the first part ...
  22. So tired of this joke... by JaredOfEuropa · · Score: 4, Insightful

    You never played the lottery? Let me ask you another question.

    Do you have any kind of insurance?

    But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.

    I know I know, it's just a joke. Well, I just had to get this off my chest.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    1. Re:So tired of this joke... by HardCase · · Score: 4, Informative
      But surely you know that, like a lottery, insurance works because on average people pay more money into it than they receive from it. Lotteries and insurance are both gambles... except that in a lottery, you bet on good fortune. With insurance, you bet against bad fortune. In both cases, the expectancy value is less than 1, but in both cases you'll be damn glad you subscribed when your number's up.


      Yes, but the key difference between insurance and the lottery is that the dangers that you purchase insurance protection for are real and have a statistically significant chance of occuring to you. The lottery ticket that you buy provides you with a statistically insignificant chance to win a pile of money.


      I agree that I would be pretty darn happy to have the winning ticket or an insurance policy if either one paid off, but my chances of needing the insurance are significantly greater (by orders of magnitude) than are my chances of winning the PowerBall.


      That doesn't even consider the different insurances that we are required to have by law or by contract. Get pulled over by the police without liability insurance and see what happens. Try to get a mortgage on a house without homeowner's insurance. How about getting a bank to finance a car without comprehensive and collision coverage? They require that coverage, not because the chances of needing them are greater than zero but because the chances of needing them are significantly greater than zero.


      Just food for thought, the Department of Transportation says that about 20 million vehicles are involved in accidents each year and an individual driver can expect to be in one, on the average, every six years. So, if I pay my $40 per month in liability insurance on my car, in 72 months I'll have paid $2880.00. Earlier this year, my wife got hit by a car in a low speed collision. After the medical bills, repair bills and rental car bills were paid, the grand total came out to be about $8000.00. Now, our insurance didn't pay, but you can bet that the other driver was damn glad to have a liability insurance policy.


      -h-

  23. Re:To start with .. by benhaha · · Score: 4, Informative
    what happens if a patch is bad and you suddenly have several thousand students show up screaming "your patch killed my machine with my term paper on it!"?

    This happened to a friend of mine recently, only it was a hardware fault. The fact is that after fans, hard disks are the most failure-prone pice of equipment in the computer.

    There is only one thing you can really do about this: Back it up.

    If you are likely to be on the receiving end of the complaints, you may find it helpful to provide a backup service. It should consist of the following components:

    • A password-protected location on the University's servers for each user where they can store X MB of data of their choice.
    • Both Redundant storage and regular backups of same.
    • A policy for what users may store there.
    • An explanation of how to use the service, using, for example, NTBackup (free with XP) or similar software which is included with the operating system in question.
    • Agreement in principle from the faculty that tutors, administrative staff, or IT staff will assist in the backup process. (Automating it might be a project for a couple of first year CS students).
    • A document (electronic or otherwise) explaining all the above and making it clear that:
      1. The university requires them to run certain software, including up-to-date patches and virus scanners. The university recommends other software, such as personal firewalls.
      2. The backup service is available in case they have any problems, in particular problems related to software the university requires them to run, or recommends, but also other problems.
      3. It is the student's responsibility to run backups. If the student has not backed up recently and a problem occurs for any reason it is their own responsibility.
      4. They should ask their study partners tutors for assistance with the backup process if they don't understand it. Getting help is also their own responsibility.
    • Regular/occasional emails and paper memos reminding the student of these facts. Get the student newspaper involved: It's much better if they run an education campaign rather than criticise you afterwards for doing too little.

    Remember, the more the student body is involved and empowered (euphemism for being told it is their own responsibility), the less you will have to do about it.

    If you really want to over-egg the pudding you might even make versioned backups available, so they can find what they had six weeks ago -- might be useful for some.

    Good luck.

    --
    NO ID: BEING FREE MEANS NOT HAVING TO PROVE IT
  24. Re:No more by arivanov · · Score: 4, Informative

    Not really an option. And an incorrectly managed linux machine on an academic network can be almost as big threat to the outer world as windows. I am speaking out of experience as I have dealt with OC3+ floods coming from zombies in student dorms long before people started to apply "voodoo" to windows machines. It was linux, bsd, solaris and other unix systems in those (pre BO) times. Quite oftent it still is.

    Still, you can very easily deal with it.

    1. Move dorms to private addresses so that you do not have an address space constraint as the next step will eat addresses like there is no tomorrow.
    2. Subnet the network into a small salad and put each slice of the salad into a separate VLAN.
    3. 802.1q the vlans up to a linux box, bsd box or a cisco that has enough grunt to filter (72xx VXR or similar comes to mind, bigger ones have a hard time filtering, smaller ones cannot handle the bandwidth).
    4. Filter on all 802.1q interfaces on the linux/bsd/cisco.

    As a result you contain any clap to a small subnet.

    Note that everybody will hate you initially. People definitely did hate me 8+ years ago as this was one of the things I did to deal with a similar problem (one dept in the building I managed was being hacked left right and center).

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/