Slashdot Mirror
Stopping Malware Before It Hits
SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."
Belkin beat him to it.. Though, their system goes one step further: rather than filter out unwanted data it turns it into precious precious ad revenue.
i predict they'll be slashdotted within 5 minutes...
By Tony Fitzpatrick
A computer scientist at Washington University in St. Louis has developed technology to stop malicious software - malware - such as viruses and worms long before it has a chance to reach computers in the home and office.
John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data.
'The FPX uses several patented technologies in order to scan for the signatures of malware quickly,' said Lockwood. 'Unlike existing network intrusion systems, the FPX uses hardware, not software, to scan data quickly. The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second. In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second.'
Computer virus and Internet worm attacks, such as Nimba, Code Red, Slammer, SoBigF, and MSBlast have infected computers globally. It can take weeks to months for IT staff to clean up all of the computers throughout a network after an outbreak. The direct cost to recover from just the 'Code Red version two' worm alone was $2.6 billion.
Existing firewalls do little to protect against such attacks. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread throughout a network.
'The number of infected computers will grow exponentially unless contained,' Lockwood said. 'In the case of SoBigF, over one million computers were infected within the first 24 hours and over 200 million computers were infected within a week.'
'Placing the burden of detection on the end -user isn't efficient or trustworthy because individuals tend to ignore warnings about installing new protection software and the latest security updates, 'Lockwood pointed out. 'New vulnerabilities are discovered daily, but not all users take the time to download new patches the moment they are posted. It can take weeks for an IT department to eradicate old versions of vulnerable software running on end-system computers.'
The high speed of the FPX is possible because the logic on the FPX is implemented as Field Programmable Gate Array (FPGA) circuits, Lockwood explained. These circuits are used to scan and filter Internet traffic for worms and viruses using FPGA circuits that operate in parallel.
Lockwood's group has developed and implemented circuits that process the Internet protocol (IP) packets directly in hardware. They have also developed several circuits that rapidly scan streams of data for strings or regular expressions in order to find the signatures of malware carried within the payload of Internet packets.
'On the FPX, the reconfigurable hardware can be dynamically reconfigured over the network to search for new attack patterns,' Lockwood said. 'Should a new Internet worm or virus be detected, multiple FPX devices can be immediately programmed to search for their signatures.
'Each FPX device then filters traffic passing over the network, so that it can immediately quarantine a virus or Internet worms within sub networks (subnets). By just installing a few such devices between subnets, a single device can protect thousands of users. By installing multiple devices at key locations throughout a network, large networks can be protected.'
The FPX itself fits within a rack-mounted chassis that can be installed in any network closet. When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user's computer. An administrator uses a web-based interface to control and configure the system.
A greased yoda doll, presumably for shoving up your ass, can be found here.
They've invented an Intrusion Detection System. Useful, but what's so special about this one?
Who does the reprogramming of the device; the end user or the company that make the device? For security, I'd rather it be the end user.
Also, shouldn't they make a cheap version for home users since those are the machines that are most vulnerable?
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Sounds like a nifty piece of hardware. Put one at the front of your network, and reduce internal bandwidth wastage from propogation of virii/worms inward. Even if all your stuff is patched, this could help keep all your servers from having to listen to the worms and script kiddies several hundred times a second. ;>
I suggest enlightening the users about malware while they download it. Let's go for the Pavlov effect and hook the hardware platform up to a pellet gun, tazer and a program which mails the squid logs of the current day of said victim to his/her mother/SO. Users learn so much easier that way...
Hate me!
2) How do you plan to adapt your hardware once the creators of Malware adapt to yours?
3) How much will this *really* slow down a LAN or Intranet? Not "it shouldn't slow it down at all" -- I mean real-world tests?
Condemnant quod non intellegunt.
Did it verify that Windows is mal-ware?
What about Windows-update?
These are hard questions that we need to know...
The views expressed are mine own and do not express the views of my employer.
hardware device will fail to notice it
unless it has an update. Same problem
for antivirus software. A new worm will
get past it until they teach the device to see it. snake oil.
...one of my professors introduced me to Scott Savage, the creator of the OOPIC. He wanted us to brainstorm on a security implementation for his device. I suggested something similar, but since the OOPIC is most often used in robotics, he wanted something for physical access security since that has been a hot topic since 9/11 and I work company whose primary business division is security guards. Unfortuneately, he didn't go for it and I ended up submitting a P2P security article to CACM which got accepted but has not yet been printed (they advised it would be 14 months or so, so I'm anxious!).
Lockwood is a smart guy. When I was an undergrad, I had him as a professor when he was at U of I (I was surprised he wasn't there anymore). ECE 291 was one of the coolest classes offered. I haven't read his paper yet, but it looks like it's a two-edged sword that could be used to restrict transfer of any data, and someone still has to program the filter...
For non geeky types, here is how it works.
As part of the TCP/IP connection specification, Each Ethernet Cable has 65,536 exactly small fibers. To send data, a prgoram must tell the network card to "pluck" the fibers 5000 tines a second to send data.
Now Viruses pluck usually unused fibers to confuse the Network card. Once it is confused the virus can Execute it self by running on the firmware of the Ether, which sends rouge Assebly instructions to the GBX register on the CPU which is an illegal instruction. This disables the ECIR and RIF jumpers on the motherboard. Then it can pluck all the wires at the same time, which of course causes a D-DOS attack.
Now you know how it works, get a Firewall to stop the wrong fiber being plucked.
They claim that the product is able to 'scan data quickly ... uses hardware, not software to scan quickly ...'.
This product seems entirely built upon PHB fear of technology - its a rack mounted unit that scans network traffic looking for rogue packets/signatures. So to do this effectively, you'd need one of these devices in place _for every router, firewall and computer to computer connection_ - along with some way to travel into the future to obtain the signatures of the all the viruses of the future.
I just don't see how this is securing a network against viruses and worms. The best thing corporates can do (who I guess this particular piece of IT jewelry is aimed at), is lock down the desktop as far as they can go, and have a sensible patch system in place to roll out automagically.
I mean, when "Travelling Salesman Dixie" brings his laptop back from the wild of the Sales Conference and plugs it in, do they honestly think that having it in hardware, rather than software, will cover their asses?
Full marks for receiving funding though. I'm probably just bitchy cos I didn't think of it.
How is it "stopping malware before it hits" if the FPX is detecting current activity and filtering it? That's reacting to malware after it has already begun to spread.
Here.
Well if Microsoft can't tighten up their OS, maybe someone else can.... Indirectly of course
While in theory this is a great idea, in practice it's likely to be less great. I commonly get sent reports that .ZIP files used in ZipSlack (which have never seen a Windows machine in handling by me), are infected with viruses. This is because "signatures" thought by virus scanning companies to be unique are a lot less unique than they imagined.
If something like this is ever implemented on a wide scale, expect the system to refuse to allow random non-malware files to be used, transferred, or handled, in those cases where they happen to match a banned bit-pattern. Files and emails might even be silently dropped with no notification at all, depending on the implementation (and with an eye to history).
I have thought of this approach also. Good idea.
Firewalls can't do it all.
Now if it also filters out SPAM, it would become the hottest device on the market.
I am not against freeware -- far from it. However, I would say that there is freeware addiction out there that opens the doors to malware. Moreover, I am not against this product; it will certainly be helpful. Yet, those who put their trust in yet another algorithm will certainly get bit again, albeit in some other way.
cheers, potor
If I weren't so damn lazy I'd type out a first post troll for the Gay First Posters of America.
Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Problems regarding accounts or comment posting should be sent to CowboyNeal.
Please explain.
A post that derides Apple users/platform is instantly modded down, never seeing the light of day. Yet whenever a Mac user cracks an equally unfunny "joke", some stupid mod thinks its hilarious and mods it up.
Quoting from the abstract of the paper:
FPGA logic is used to implement circuits that track the state of Internet flows and search for regular expressions and fixed-strings that appear in the content of packets.
So apparently this hardware can only recognize patterns programmed beforehand (which makes a lot of sense). However, a problem would arise whenever an original piece of malware is released into the net. I mean, how do they plan to identify and program new strings into the machine before the systems behind it are infected? Worms tend to expand fairly quickly...
Further insight is always welcome.
R.I am rather surprised at the commentary so far on this device, given the usual tone of responses made on slashdot that I have seen.
This device appears to be, at heart, a box that is put in along side the routers to filter out content that the owner of the device does not want to be sent over the network. It is capable of looking for specific patterns of data and blocking the transfer of the data based on that in real time.
Is this not precisely what one would use to filter out, say, unwanted political documents going in/out of China? To, say, spot a specific MP3 file being traded on a P2P network and stop it?
Other comments seem to suggest people think this might actually be a workable, good idea -- guess folks are finally realizing that the Internet cannot route around all forms of censorship after all, if they think this will work.
Better idea is for there to be some sort of ban on people that spam . We need a powerful regulatory force. Prevent them from even accessing the net for a certain time or FINE them big money for all bandwidth they suck up.
We need a 'do not call list' with teeth for the wwb.
When I read the title I thought, YAY! A filter to kill Gator and related scum before they're installed.
But when I RTFA, I see that it's only good for worms and viruses. I'll take worms and viruses any day over Gator. You know, because GATOR IS SPYWARE. bwahaha.
Which brings me to the question:
Can you write your own virus def's? I'd like to see an app that edited your favorite virus scanner's defs and added signatures for Gator, WhenU, etc. That would be so cool.
----------------------
VIRUS DETECTED!!
Win32.Spyware.Gator.B
Clean Failed.
Delete successful.
Access denied.
----------------------
stock markup fraud execrable hypenosys.
doesn't leave much to read about here.
no matter, everything's changing rapidly, despite the insidious attempts of the felonious greed/fear/ego based corepirate nazi walking dead, & their monIE sucking bootlickers, to pretend otherwise.
lookout bullow. get ready to see the light.
> prevent malware from reaching the network
As an alternative solution, you can hire a big, fat, bald guy, whose job is to push the Microsoft and Oracle salesmen down the stairs.
Didn't Fortinet already do this???
Arf!
I realize this was at the end of the article and reading the article at all is something not done much around here so:
"When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user's computer. An administrator uses a web-based interface to control and configure the system."
So no, you don't have to worry about false positives making you miss something unless you tell it to not warn you before doing something.
Ben
Work Safe Porn
I hate programs that get stuck in infinite loops. Now, with this software, I'll just scan for these pieces of malware, and stop them from being sent over the network.
Finally, a solution to my Halting Problem!
-what? is this thing live? I love Big Brother.
Friends don't help friends install M$ junk.
Dear Apple,
I am a homosexual. I bought an Apple computer because of its well earned reputation for being "the" gay computer. Since I have become an Apple owner, I have been exposed to a whole new world of gay friends. It is really a pleasure to meet and compute with other homos such as myself. I plan on using my new Apple computer as a way to entice and recruit young schoolboys into the homosexual lifestyle; it would be so helpful if you could produce more software which would appeal to young boys. Thanks in advance.
with much gayness,
Father Randy "Pudge" O'Day, S.J.
as malware? Say MS or any other abbreviation that is interested in declining access to competitive data just filter it. Adding a number of these devices to echelon or selling a few to repressive governments. You get the picture
We all know every piece of software can be represented via hardware ie hardware encoding/decoding. This would be faster and somewhat more secure than traditional IDSes but come on it still has the same down falls of those as well. Recognizing patters isn't easy if it is a new pattern. This isn't going to be put in wide spread use for the simple reason that it would be and is cheaper to use software IDSystems. It's a neat idea but obviously the PhD in him forgot the realities of a consumer world. If something else already does what your system does possibly for cheaper and all you can offer is an ounce of faster speed and an ounce of better security over those software systems...you don't exactly have any killer consumer product on your hands.
Riiiiight.... So what exactly is controlling the hardware? Lemme guess... A few lines of code, some syntax, some commands... You know... Software.
"Maybe if we put our system in a shiny box with cool LEDs instead of a rackable server like everyone else, we can call it breakthrough technology!"
Step 1: Reinvent the wheel.
Step 2: Patent it.......
etc.
Do you or your partner snore? - Visit www.snoring.com.au
...with flexresp2, implemented in hardware? I confess I have not read the pdf, but I have read the article.
n or t/sp_respond2/
http://cerberus.sourcefire.com/~jeff/archives/s
to quote:
Active response is not guaranteed to sucessfully terminate connections. Snort is a passive
system, except when used in 'inline' mode. In a passive configuration, the process of active
response is a race between Snort and the endpoints in network communication. Depending
on the CPU and/or bus speed of a system running Snort, available memory, I/O states and
network latency Snort may or may not win this race in which case active response will have
no effect.
Active response is a supplementary tool, something deployed in addition to other security
technologies. It should not be solely relied upon to protect systems or services that are known
to be vulnerable.
The process of transmitting active response packets will "block" the rest of the system, meaning
that while Snort is busy sending TCP reset or ICMP unreachable packets, it is unable to capture
packets and perform other intrusion detection functions. The amount of time spent performing
active response is extremely small (measured in milliseconds) but can result in a degredation
of performance in high-speed environments.
Ok so he build a really fast sort of flashable memory hardward virus scanner. It will be lightning fast but will it not be extremly expensive? I can't see the speed benifit outwaying the cost of the unit. But I'm not an EE so can someone who is tell me if it can be done cheap?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Now dance, Spider, you little fuck!
YOU FAIL IT
you spacker
No restraint needed - once goatsed, twice shy...
:)
Are you talking about having personally seen that well known picture? Or some other personal experience where no restraint was required???
This is similar to what I was thinking.. I never expected to get this far without anyone mentioning snort and Hogwash. Snort, being the open source IDS, and Hogwash, being an add-on that alters traffic as it passes through the IDS, based on customizable rules. It modifies the malware or just removes it before it gets passed onto the main part of the network, thus killing all virus infection attempts as they enter the network (and as any kind of unencrypted traffic -- web, smtp/pop3, etc) long before your users get around to updating their virus definition files.
Intelligent Life on Earth
It sounds like a traditional signature-matching IDS with most of it implemented on a FPGA. This isn't such a big deal - it won't "stop malware before it hits" because signatures still need to be installed on the device. An implementation on a FPGA is great for speed - which would make this device great for mitigating worm attacks, but the FPGA may constrain its utility as an IDS - it would probably lack capacity to perform some of the trickier IDS techniques (e.g. looking inside compressed or encoded content, traffic normalisation, etc.) The linked article was little more than a marketing blurb, so its hard to tell.
'Unlike existing network intrusion systems, the FPX uses hardware, not software, to scan data quickly. The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second. In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second.'
And:
'The FPX itself fits within a rack-mounted chassis that can be installed in any network closet. When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user's computer. An administrator uses a web-based interface to control and configure the system.'
no matter how much they put into this, someone will figure a way around it.
They mod up an anti-PC troll, but mod down an anti-Mac troll.
This is typical of academia: they don't understand the problem, but they are quick to come up with a solution.
Software-based products already can handle the 2.4-gbps rate this "hardware" solution claims. So there is nothing new there.
Moreover, this solution doesn't handle important problems such as fragmentation of packets or polymorphic coding techniques -- both widely used by hackers, but handled by existing network intrusion detection systems.
Most importantly, it doesn't handle the fact that most trojans are recompiled to evade signatures.
Finally, and most damaging, the quality of an intrusion detection system is determined by the research that goes into it. Most vendors already have trouble keeping up with the research abilities of the open-source Snort community or the closed-source X-Force (the research division of Internet Security Systems, which is tightly integrated to government research).
I wonder if it can filter dupes and leftist banter from /. postings.
one of the major selling points of watchguard products when they were initially introduced was the fact that the appliance was bright red, and had a lot of blinky leds on the front plate
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
After speaking to one of the chaps behind ddos.com I'm very excited by this kind of emerging technology: essentially ethernet/fibre "filters" which can scan and dump "unwanted" traffic without a noticeable lag on the network. I'm less excited by how much it costs at the moment: $18k list price for one of the 100Mb boxes at DDoS.com, but I suspect as competition opens up, the waffle about exciting and complicated patented technologies will give way to a decent and open discussion about the best algorithms for doing this.
As an example of the current waffle on this topic, the white paper at ddos.com promises in one of their upcoming *cough* products a wire-speed spam filter which is 100% accurate and needs no training. Sure, sure... it's this ridiculous claim which calls into question the "zero training" aspect of their DDoS prevention-- I'm sure some configuration and known "signature" patterns of abusive traffic will help matters.
I'm not here to pick on ddos.com, I'm sure they have an excellent and useful product. But since they are one of a very small number of people with such a product, they are prone to making wild claims and charging extortionate fees. I'm convinced a Linux/BSD kernel module could achieve the same effect and I'd be very interested to see the algorithms, training and so on needed to achieve it. But for the moment we're still subject to these pretty wild claims without much in the way of algorithmic detail.
Matthew @ Bytemark Hosting
$5 / month hosted VPS on linux = awesome!
>Perhaps because of the end user? How many joe sixpacks do you know with a properly configured firewall, an up-to-date AV program, and have even heard of AdAware?
Classic blame the victim mentality. How has the industry served "joe sixpack" pray tell? This game has gone on long enough, we're looking at 4-months before an MS patch reaches critical mass in corporate america and even longer times in the residential market. Instead of constantly berating the end-user, someone has come up with a better solution. Beating the donkey only gets you so many results (I would say it doesnt get any better than it is now) and keeping this attitude makes many people in technology look like snobs and elitists.
Not to mention many malware and viruses find they're way through the firewall/AV anyway. This weeks' "You didnt patch your OS fast enough" is next week's "You didnt patch your firewall fast enough." or "Dont open attachments, even from people you know" to the highly condescending "Well you should be using Linux." Ad nauseum.
>It's a lot easier to release new AdAware definitions than it is to patch a piece of hardware
Sure it is, but Ad Aware et al are for end users, this device is for sys admins. I think they should be skilled enough to take care of it. Not to mention it sure beats the current "solutions."
Seems this device would be ineffective if the data stream were encrypted.
To stop all that mp3 sharing!
from article: Computer virus and Internet worm attacks, such as Nimba, Code Red, Slammer, SoBigF, and MSBlast have infected computers globally....Existing firewalls do little to protect against such attacks. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread throughout a network.
Maybe I'm misinformed but I thought that a worm like MSBlast and Co. attacks thru SMB/CIFS protocols by the 13x familily of ports. Any self-respecting netadmin blocks those from external access. Am I right or wrong on this? Granted some of those attack thru legit ports like 80, but a firewall is not TOTALLY useless against ALL worms!
Here we go again!
I go to Wash U in St. Louis and actually know one the guys working on the project. I've also met Jon Turner, however I haven't met Lockwood. Him and some other professors sold some ATM technology to cisco back in the dot-com era and got crazy rich.
Anyway, you can find out all about their project at the applied research labratory FRX website:
http://www.arl.wustl.edu/arl/projects/fpx/
You'll find additional references to the FPX on my blog, in "Stopping Computer Viruses Before They Reach You." And because some comments mentioned speed as an advantage of such a solution, here is a quick excerpt: "The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second. In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second." My summary also contains a photograph of an FPX module.
By using FPGAs to scan network traffic (not a new idea, by the way), the device looks for fixed signatures much faster than an equivalent software solution can do so (yes, software may control it, but the actual "decisions" are made by hardware. Think level 3 switch). I'm guessing there's probably some sort of state engine implemented in the FPGAs (I haven't kept up on field-programmable logic), and optimization to look for multiple signatures in parallel, but that's just a guess. It's no different in theory from a virus detection add-on to a mail transfer agent that uses fixed string (as opposed to regex) detection, it's just much more efficient.
Because there's no regex capability, any attempt to use this box for censorship will fail. For example, suppose your upstream programs in a ruleset to match "nuclear". Fine, just pull a Dubya and use "nucular", or "nuke", or "nook-yoo-lar". Problem solved. Or for that matter just zip, tarball, or rot-13 encrypt your file before sending it.
Furthermore, no actual signature would be this short; the false positive rate would be enormous. In practice expect signature lengths of 64 bytes and up, which is what we use when scanning email traffic for viruses.
Why is this a good thing? Keep in mind this is NOT intended as an end-user box, it's intended for network providers. As one, I can tell you that viruses and worms cost real money. Even when we do disable customers for virus activity (and invariably piss off most of them), it takes time to detect and do this. It also takes staff hours; tracking down the customer's username isn't always trivial (RADIUS accounting packets get lost, some outsourced dialup providers send accounting data only on termination, and open wireless points are a huge pain)
For example, Nachi sends out vast numbers of ICMP pings to sequential IP addresses, which rapidly fills the IP cache and depletes the memory of many Cisco routers (why they cache IPs for ICMP is beyond me, but they do, and the patch -- which requires a maintenance contract to get by the way -- doesn't work very well). Watching multi-kilobuck routers die repeatedly because a handful of customers have a worm is NOT my idea of a good day. And don't get me started on mail server load.
I don't know what price they're going to ask for this, but if it's reasonable ($10K or lower) it could easily pay for itself in six months for us. Even if it's an order of magnitude pricier, larger NSPs will probably snatch them up if they work. Trying to do this in software with the same bandwidth (the article quoted 2.4Gbps, right?) may well cost more, esp. when you have to drop a couple of OC-whatever cards in your linux box, harden it, and make sure it never *ever* goes down.
And ye shall all bow at the Altar of Shiny Blinkiness
Do you or your partner snore? - Visit www.snoring.com.au
Seriously, all are available free: put them on your family's PCs and educate them in their usage. Kerio Personal Firewall's reasonably idiot-proof, AVG antivirus excellent, and AdAware 6 just works. All free for personal use...
Now, all we need is the big OEM people to ship with their PCs and provide a quick tutorial.
But you're still downloading our malware.
Enjoy!
Ironically, the word ironically is often used incorrectly.
When I got to work on a fairly big IDS system on a 50,000+ node network, the IDS vendor released an update to their ruleset.
/etc/passwd and /etc/shadow was really broadened. Every time the IDS detected a packet with the word "shadow" in it, bang! It flagged it.
:)
:)
Someone goofed, and the rule to flag requests for things like
In our case, it was particularly annoying because the entire intranet used a webpage template that had dozens of references to "shadow.gif" (I think it was for bordering and layout). The web devs weren't too pleased when we asked them to change several thousands pages
Now, extend this to an IPS which removes the offending packets. Suddenly our intranet would have been entirely offline. I could see this taking days to figure out why.
Damn, guess I'm lucky I didn't work for a company with the word "shadow" in their name
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Yes, but if this tool is installed and it says:
Hey, traffic just went up 400% on port 237 across 100 different hosts - it could go into "red alert" mode.
Red alert meaning that it increases its update-schedule unless an admin flags the traffic as non-virus.
Red Alert could mean to contact home-base every 5-10 min until a fix arrives. Alternately it could mean "login to homebase, leave a log in homebase's DB that I am looking for an update for heuristics X/Y/ZZ, and tell homebase to contact me when an update that looks applicable comes around (port/pattern match)"
As an example:
Set up an XP laptop that had been offline for a few months, and thus was behind in security updates. Connected to broadband, modem-->switch-->machine, download patch from my own server where I had a cut+paste URL ready to go. Halfway through download, machine reboots, it's been infected. Total time, under 5 minutes.
Setting up new machine with XP installed, same scenario as above.
Setting up 2 machines behind linux box, no infections. Not just a linux solution, I believe even a cheap NAT'ing firewall would have helped in this case.
The point here being, routers do help, and if more people used them we'd probably have a much-reduced infection rate. If an ISP wants to protect against Welchia and kin, why not make a push for router/modems instead of normal ones, and tout them as "increased protection against internet viruses?"
The only obvious reason I see for not using routed modems is that server stuff won't work for games etc by default, and people could get away with >2 IP addresses. However, the former could be addresses by using "default NAT" policies, with commonly dangerous ports (SMB shares, RPC) not routed by default.
HOLY SHIT! I GOT MODDED REDUNDANT, NOT TROLL OR OFFTOPIC!
Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.