Slashdot Mirror
Handling Viruses in an Uncontrolled Network?
An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats.
We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?"
"Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).
I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."
I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."
There see, that wasn't too hard!
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
Forcing people to have up-to-date virus/firewall software before they can even connect to the network would be a good start. Turning network connectivity off for offending computers/users for progressively longer spans of time after they infect the network seems like a good deterrent as well. I suppose posting the names of people who infect the network and bring it down might work, though the screams from the public beatings might make it hard for you to sleep at night.
I Am My Own Worst Enemy
If you have gotten a job administrating a network for 500 computers, then it is not an uncontrolled network. YOU ARE THE ONE IN CONTROL. If there is currently no policy for restricting usage of the network based on client problems such as ignoring viruses, then I strongly suggest that you write one up now and implement it. Start blocking the MAC addresses of the users that are the abusers. If you just sit back and don't take control, you will soon find that students have little added value of your network and may start to move out, which might leave you without a job.
I'll leave it to other slashdotters who are network admins to flame the hell out of this guy.
I sure wouldn't want to be the guy tasked with handling this!
#include "forums.h"
int main() {while (bollox) postcount++;}
You are DOOOOMMMMMED.
chemical castration might work
Linux is like living in a teepee. No Windows, no Gates, Apache in house.
Write your own virus to send them massive payloads of anti-virus software. :P
Have you considered spankings? At least for the hotter co-eds. After all, they should know better.
Our school uses some sort of client that monitors if OS patches and virus scanner definitions are up to date. If they're not, you don't get access.
I hate it, but it keeps the herd of idiots from spreading the wealth.
Buy a cheap (£30) old computer which will just monitor all traffic on the network. If it detects that one is flooding the network with identical packets it could login to the DHCP server and cut them off (via a script?). The trick is to set the lease time on the DHCP server so the computers know when they have been cut off.
It sounds like you've been completely neutered. If at all possible, talk to the administration about instituting a "3 strikes" policy. That is, if someone's computer causes a network-wide issue 3 times, their network drop stops working for the remained of the year.
That'll clean their acts up in a hurry, or at least make your life easy.
Even Jesus hates listening to Creed.
Seriously, volunteering to be THE on-site tech support for 500+ users is insane, especially since you're not even getting a discount on your housing. Quit the job or move out so you can worry about your own network.
-EB
Do you ever walk alone like a drifter in the dark?
Isolate the computers that are spreading the virus and shut down their access to the DHCP server based on their MAC address. Then make the reconnect process as painful (yet educational) as possible. >:)
> What solutions have Slashdot readers came up with this and
> similar problems?"
Easy. Disconnect them at the first sign of virus trouble. Don't let them back until they can prove they've fixed it.
When their fresh new computer lasts an hour on the network before you pull it down, they'll soon decide to fix it.
If you can't put the bad users on a slow switch, and force them through an even slower proxy to make their life hell, then see if you can't organise a minimum disconnection period. Say 10 days or so to reconnect the idiots who keep getting infected. Since you control the dhcp server, you could filter them out by their mac address so they can't wander over to someone elses room to connect. Yes, they could probably circumvent this with a little knowhow, but let's face it, an idiot who's managing to become a virus writer's bitch every week isn't likely to have too much in the way of technical knowledge...
Code, Hardware, stuff like that.
Regarding revenge might help you come up with, shall we say, colorful solutions to your problem. Either that or figure out a way to have all of their papers "lost" due to the virus;-) In this regards, I would suggest that you channel your inner BOFH.
If brevity is the soul of wit, then how does one explain Twitter?
on our student network we get monitored all the time (no traffic monitoring just open ports etc).
Suddenly you'll get a mail from admindesk that you are running an old Apache server and you need to patch, failure to comply will lead to disconnection.
The same with unpatched Windows:es
Just use your power and disconnect them, don't turn them on until they have come to you to get a CD with the latest patches/viri-removal kits etc.
how did you get tricked into this! One option would be, but reading your story I doubt you have the option is dissalow windows networking. Sure they'll be pissed, but after that they'll just resolve to other media of transfer.
myswitch> (enable) set port disable
-dk
Dream with the feathers of angels stuffed beneath your head.
It's ok if the professional is paid $0, just as long as the terms of the employement are understood: that the network dude has the authority necessary to be able to do the job.
Then, be that guy. Now you have authority.
Then, kick network abusers off the network. People who run viruses are network abusers.
Problem solved.
Just pull the plug.
It really sounds like you're wasting your time.
You don't have control over the users, the machines, or the routers; so what the hell can you expect to do?
Sounds like the best option is to unplug the offending machines from the patch panel until they can demonstrate they are virus-free. Although that is likely not a viable solution if these are paying customers.
Seriously, it seem like this is an unsolvable problem and neither the users nor the administration seem to want to spend any effort in fixing it. So the sooner you realize that there is nothing you can do, the better. Help out with the IT system at your local Humane Society, womens shelter, or similar instead.
Oh, and get your own DSL or cable modem.
You need more power. Otherwise you will fail in your job ( unless you take to violence ).
Students need to be kicked off the network until their computers are clean. If they are kicked off x times, they are off until they come to you and sign a form saying they understand how to keep their computer clean. y more time(s), they are off for the rest of the semester.
Simple, effective. You will need a couple decent switchs capable of shuting down ports ( or you could just yank the wire ).
If you don't have this level of power over the network, get rid of any access you do have. The higher ups only want a scape goat.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Just reconfigure the guys that keep spewing to ether deny access, or return that the computer's IP address is 127.0.0.1.
When they come in complaining, babysit them at their computer.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Go around with a pair of wire clippers and cut the network cable of those with affected computers - refusing to fix it for them until they get their computer sorted out.
Put the linux and mac users in their own subnet. This won't help *you* any, but it will mean the linux and mac users don't have to deal with constant flooding when the windows boxes go off :)
Get a switch with some management software and start shutting off ports when their boxes go Zombie. Increase the off time with every infraction. They'll learn to fix their stuff pretty quick.
Is there anyway you can get all of those who connect through the network to have to go through a proxy server (controlled by you, or the administration) to connect? Once you get that amount of control, you can then start to block stuff you know is bad. If you don't have control over this, petition for it or something. Ask for a bit more power, and maybe, for the good of all, you will get it.
With your proxy, isolate problem areas, where all the downloads that have virus are coming from, and blacklist 'em. I'm not sure how most p2p apps work, but I'm sure you can block their needed ports, so Kazaa, Morpheus, et al will be locked out, as those tend to have more virii than most.
You can also blacklist individual sites, or look to a third party app that already has a well established database. (Students may complain about not being able to access their pr0n. If this becomes a problem, you don't have to enable the "Sex and pr0n" filter, but be forwarned that porn sites are where a lot of virii come from as well.
I hope this helps you. If it doesn't, then publish a phamplet of some sort, explaining the monetary benefits of not having to buy a new computer to replace your virus infected one. Maybe some will see the light.
I have this really funny quote that I like to put here. Unfortunately, there's this really annoying thing called a char
Heh, i'm in the same business - but i've got around 400 ppl, control over debian gateway (with ipp2p) and ower switches. Usually i disconnect infected computers so the owners come to complain and then it's possible to instruct them to clean they'r computer. ntop shows which computer is sending most ARP packets, but all this observing needs my intention. Is there any way to make things work automatically?
Send them emails with executable attachments. If they click on the attachments, ban them from the network for a week.
Send these out frequently. Soon they'll instinctually hit the DEL key when something with an attachment comes in.
I'm a big tall mofo.
If someone asked me to volunteer my time to run a 500 computer network I'd say "Um, NO".
i always wondered why my school's network goes down so much for having such a recently upgraded infrastructure. perhaps it has something to do with the fact that there are probably 4000 POWERFUL windows desktops administered by kids who may or may not run updates.
pair that with a *cough* gigabit connection to each machine, and some pretty simple malware can mess everyone up.
You could place all the offencive (Read as you like) onto a seperate physical network, firewall it like crazy (like maybe just port 80 outbound), and then send it back to the big pipe. The offencive users still get http access, but can't play games/share files/smtp mail etc... You could say 'Thats for users who know what they're doing. Come back when you've got a clue'
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
First off - something that EVERYONE should be doing - make sure spoofed packets dont leave your network. This helps you, and it helps those of us (like me) who run websites who are frequent victims of DDoS attacks - you just may reduce my DDoS from 3Gbit/sec to 2.9Gbit/sec :)
So... you know your internal addresses. You know your external addresses. At the external firewall, block all packets going out that don't have a matching source address in the header. Most all virii nowadays use spoofed headers to hide the actual source - simply block packets that match this criteria.
Second, you can use QoS at the firewall level to prevent one computer from using more than their share of bandwidth. Nearly all firewalls (even open source Linux and BSD solutions) offer quality QoS.
Third, you can identify virii that cause issues, and detect them - usually they are built with backdoors on a certain port - check for that port being open, and block their access.
Fourth, institute a punishment for students who don't fix their issues. One warning, then they lose access for a period of time. This needs to be their responsibility - just make sure that help is available to students who can't protect themselves, perhaps a student IT club can help them or something like that.
Depending on how sophisticated your switching hardware is, you might be able to implement QoS there, to prevent a single system from flooding the network. Additionally, you may be able to simply throttle back each port (if you have a 100Mbit uplink to the internet, set each port to negotiate only at 10Mbit).
Also, choose software packages for different platforms that you can recommend they use to fix any problems that arise - standardization makes management easier.
If you have the budget for it, you could look into locally placed firewall boxes whose focus is to detect and eliminate virii - they're expensive and less common than your standard SonicWall box, but can be found. Might be a last resort unless you have deep pockets.
Good luck!
If you have Cisco switches you could turn on dhcp snooping / ip source guard / dynamic arp inspection. It wouldn't be a total solution but it would help in the case of computers that are spoofing other addresses.
You should look into trying the following:
1. Super Gluing an RJ-45 connector into their local network socket or into the socket on their network card.
2. Removing the infect item (hard drive) from their computer with a power saw.
3. Emptying a can of Raid into their (running) computer and tossing in a match.
4. Taking the infected machine to the roof of the dorms and tossing it over the edge to air it out a little.
5. A double-barreled 12 guage shotgun with double-ought buckshot should clear those virus right off of their computer.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Users that participate on the network and yet cannot account for their computers' actions should be banned.
Default out: Virus/Malware scanners that can register with an isolated server the version and state of the user machine can participate. Until then, they are banned. Simple enough. I think some of the enterprise versions do just this.
In a DIY world...have users sign an agreement putting conditions of their connection to accounting for network usage. If you are caught with malicious payloads, you are banned.
You'll have to catch payload origins after they get in but before the network starts to really bog. Ban the perps and impose ever-increasing bans. 1st offense: 1 week ban, 2nd, etc. This should be in their agreement.
OR - just let it bog to a crawl. When they buy new machines, buy their old "slow" ones and resell them on eBay. Sounds like a great money maker!
1. Assume they are savvy users and let them be.
2. At the failure of #1, force them to have up2date virus protection. If they don't want to pay for it, direct them to http://clamwin.com/.
3. Force them to run MS Spyware Blocker if 2000 and above, Adaware and Spybot S&D for lower.
4. Disconnect them until they comply.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
by clogging the network, they prevent other people from doing thier work. It's standard procedure at some universities to shut off the ports of problem systems.
Free Mac Mini Yeah, it's
The idea is simple: Egress filtering.
Strict policies on outgoing traffic for untrusted networks is essential.
I would suggest a default policy of something like www, ssh, msn/aim im, p2p programs (possibly, depending on the uni's rules and regulations).
Providing you have a mechanism for giving the students access to other ports when necessary, then there should be no problem enforcing a strict egress policy.
That might work at Harvey Mudd or Caltech, but not in the "real world".
I also don't have any control over the network infrastructure itself, just over our DHCP server.
With this you have all you need to run a NetReg server within your infrastructure. With this you can allow users to register their machines automatically. Any user with a virus or other such malware gets their dhcp entry deleted, and they are on a private network that goes to where you define. I would allow antivirus sites, antispyware sites, and windowsupdate only (or better yet, a local mirror).
Have them send an e-mail to user@host once this is complete and you can re-activate their lease.
Can I get an eye poke?
Dog House Forum
segment the lan in to sections with a multihoned linux firewall.. you can place 2 boxes with 4 nic's a piece. 8 segments then you can analize data and shutdown interfaces that have the bug behind them.
Then tell the neighbors that some one on their floor caused them to miss their nightly fix of porn. This will be a cause of shame and well they might not do it again or at least keep there system protected.
I think the whole social order of things would fix the problem by people finding out who was responsible.
you can also tar pit there ping floods but i have seen more and more dns problems lately..
regards.
Where I go to school, they sever the connection of computers that don't update with Windows Update like they are supposed to. I'm not sure how they can tell, but between that and the supplied anti-virus software, it works well. People get pissed when they get cut off because they haven't updated (Sucks when you use Windows very rarely because you use Linux, but I can usually update in time before I'm scanned and kicked), but what happens happens. It sounds like a dozen or so calls a day to turn their computers back on when major updates are released is a small price to pay. Users are also restricted to a single site in the subnet to get updates when they arrive here to prevent viri around that time.
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
You're doing this for free? I wouldn't even do this job for pay -- unless it was something like Bill G's salary. You will never educate kids who will click on anything that promises free porn, download and use every ad/spyware infested P2P program out there, and not think it's their fault because they can't be bothered to even update their anti-virus.
The system will be in trouble continuously because even if most were actually responsible users, it only takes a few irresponsible ones to mess it up for everyone, and it will always be your fault!
And if, pray tell, things actually do run perfectly for a few hours, or days, don't expect any thank you's from that ungrateful crowd.
And as you said, you're not even getting paid for this. Bet this means you have effectively No Authority to fix anything or punish anyone otherwise. Try to kick off a multiple repeat offender and guess whose ass ends up in a sling when they go whining to the university president.
Have fun!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Block ports! Don't allow outgoing traffic on any ports but a very specific list http, https, telnet if you must, POP, etc). Also have your routers drop pings or ICMP requests. Granted, this would reduce the ability to run servers, use Kazaa, or some network games, so maybe not ideal as a solution, but it would prevent many viruses from bringing down the network scanning for hosts....
I work for a major university that has about 20,000 computers connected to its network. Not to mention traffic from over 80 county extension offices. We are currently working on an in house system that will hand out a certain IP Range to offending computers. This IP Range can ONLY get to 1 server that has reasons why they can't get to the Internet. They also get instructions how to get themselves back on. After the second offense they have to actually call us. After the 3rd offense they have to visit us. We have all of the technical stuff taken care of. Now if we can just another group in our department to get off their butts! So my suggestion is like the others out there. You have the control of the DHCP server, so you can restrict their MAC addresses. If they don't like it, tell them to move!
"Why was the network down all Sunday night? Ben in Room 302 failed to install these patches."
Continue to do it every time.
You know MAC address of offending machines, or if you don't you better arrange things so you do. Log offensive IMCP packet frequency by MAC address and revoke the friggin IP contract.
As for putting a box on your network in the first place...
1) make them haul the machine into the lab and install zone alarm. make the student do it. record the MAC address. put it in your DHCP database. no leases for machines not in the database, PERIOD. If you want to be a real hardass, require that the students pass a test on using zone alarm(or whatever) before you ut their machine in the database. You might also require that they have all the patches installed if they are running Mr. Softies finest...
2. no exceptions to 1.
3. pamplet on cleaning up their machine so they can bring it to the lab and show you it's fixed before allow them back on the network. after hauling their SUX2000MK3gameblastersteamertrunk to the lab a few times, they'll get the message.
A user not willing to fix their problems should not be allowed to use shared resources where they can cause problems for others. If you're going to enforce any policy and actually try to fix things, the user issue must be managed first. It's not like you're going to deploy McAfee EPO or something on a student residence.
You could also try choking those ports down to dialup or slower speeds until they fix the issue, but something tells me they're not going to fix the source of the issue in any case.
Doing the Right Thing should not be preempted by making a buck.
Most notably, make sure your network uses managed switches that will monitor (and if necessary, shut down) incoming traffic from ports. Virus traffic as well as port scans (which should also be banned) tend to be fairly noticeable if you're looking for it.
Managed switches are super nice because they can permit you to shut down a hard port that may have a computer infected. There are some that can even ban certain MAC addresses, so if an infected laptop jumps between ports, the new port also gets disabled.
Also, as others have noted, as the network administrator, you have privileges to define network policy (although probably with the approval of your bosses). Make sure it's known that infected computers will be banned from internet access until some painful education session is taken (maybe once every two months, just to make it hurt even more) and make sure all users sign a usage agreement before they are permitted to use the network.
The real solution is to tell your university to get a freaking IT budget together to create a full-time paid staff member who will maintain such a network. It's ridiculous to be the only administrator (and be a full-time student at the same time), assuming I'm understanding your situation correctly.
This sounds like my living arrangement. Except when the apartment network got hit the first time, they turned it all off and sent a tech out to patch people's computers and dis-infect them at $20 a pop.
Easy money for them.
All the tools you need are wrapped up into linux. Traffic control, rate limiting, dynamic blackholes, user registration, etc I do this for a few thousand students living in our properties and others we manage, Takes some know-how, though to do it right. Not a quick fix, but it is so flexible once you've put the time in. You can respond to almost anything thrown your way.
The best way to deal with it is to cut off the infected machines and have their users fix their systems. Someone here also had a nice idea. Instead of cutting off all access, have any transactions on port 80 redirected to an internal server that explains why they can't use the network and how they can go about fixing it.
Students in our dorms have no need for Microsoft ports, which is the primary reason worms can take down the network. So i block port 137,138,139,445 at the switch port level.
Granted this doesn't solve the virus problem on the computer, but it sure does prevent it from taking down the rest of the network.
If you are using a managed switch you should be able to disable switch ports via SNMP.
You should also be able to monitor the traffic stats of each port.
So, when you detect that the LAN utilisation has exceeded some predetermined threshold, start disabling all the high traffic ports until it stops. The only people left standing will be those that had current anti-virus software.
They'll learn when their neighbours have access and they dont.
strlen mentioned in another topic that there's an OpenBSD-based firewall product which sounds like it may cut down on the task significantly. The upside is that it will save you tons of time in managing a network of that side -- I'd hesitate to call it a "small" network. 500 machines sounds like a full-time job depending on how much hand-holding you do. The downside is that it's about a $20K product, though that works out to be a bargain at $40 per station. However, it certainly sounds interesting and maybe that link will give you a start for a completely free version which you can build yourself if you have the time and knowledge.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
"those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness"
You're not looking at this realistically. The statement above betrays your frustration. You see the users as stereotypes of carelessness and stupidity.
So they buy faster computers when they get infected? And how often does your typical student buy a faster computer? Every day? Every week? I think not! Yet, how often do people get infected? From the way you describe the problem, it is quite often.
Users already have incentives to keep their computers virus free. Nobody likes getting a virus. It slows their computer down and makes it hard to use. They can't just run out and buy a new computer! Your harsh stereotyping is ignoring the reality of what students face.
So, the first step is to get a better understanding of the problem. Why not try talking to some users? Not just your techie friends, talk to the average person who knows only how to turn it on and run the few programs they use? I'll bet you'll find out that the real reason for the problem is not that people don't care, because they can just buy new computers! It is because they don't feel confident in their abilities to download, install and run the AV software, and to continue to use their computers with whatever small operational changes the AV software may impose.
I can't tell you for sure what the solution is, but the first step will be to understand the problem better. Resorting to stereotypes of users as malicious or uncaring is only going to take you farther from the solution.
"I also don't have any control over the network infrastructure itself, just over our DHCP server."
Well someone has control over the network infrastructure itself, and it's their job.
Standard I/O Error. Incompetent/Operator.
Windows machines have little to do on networks anyway. Unpatched winboxen even less. Cut them off until they get a clue - as simple as that. Or make it a policy that everyone has a Mac (or clue).
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
Simple as that. If they are damaging the network then they are a threat to the network and even if they buy a super fast machine to compensate... yippee fucking do.
Anything that damages the network as a whole must be blocked. Revoke their DHCP access, or something similar (I don't know how the network is routed, so I can't give a more detailed answer.)
When they learn to not get infected, then they can use the network again. It is that simple.
However, if you are in a position where you cannot do this (then I would walk away personally...) then look into using something like Hogwash (Those guys need some devlopment help BTW (Hint Hint Slashdot community - Hogwash is a wicked project...))
Try to hack my 31337 firewall!
There's this really kewl little script out there... I can't remember the name of it, but basically you enter the IP of a system on your local LAN and the system completely and totally freezes up. Turn it off and the system operates like it just froze... no data loss, nothing. So, I suggest a simple Linux box running NTOP. Find the highest traffic users during the outbreak, and DDoS 'em. Even rebooting won't help them. :) Of course, there's many tools out there that incorporate NTOP, Nessus, NMAP, etc to find which systems are vulnerable and all that, but without local access to the systems themselves to turn them off or patch them, you should just DDoS until the outbreak goes away and those offending systems can be fixed.
Porn for your PDA/Smartphone/etc
First, if you have a core of machines you know to be well-configured, set up your DHCP server to give out ip addresses to only those machines, by MAC address. Anyone else who wants to use the DHCP server will need to convince you that they have antivirus software installed (and configured for automatic updates). Once they've convinced you, you add them into the list of MAC addresses recognized by the DHCP server.
2) Curl into the fetal position.
3) Sob, quietly enough to be annoying, loud enough to be noticed.
4) When asked what the problem is say "Viruses (Virii? Whatever), Viruses! I told them I did, yes, did they listen? No precious no! All over they are! Argghhhh Viruses!"
5) be Glas they just told you they don't really need you're voluntery work after all.
"I may be full of crap about this game, and I may be wrong, and that's fine." -Jack Thompson
Run another IP network on a private IP range on the network and have your DHCP server give an address in the private range to any machine blacklisted (keep your lease time short). Set the gateway address on the private net to a linux box with a firewall rule that sends all web traffic sent to it (transparent proxy style) to a page on itself that says that the user is infected and downloads of the tools to fix the problem.
James
Guns. Lots of guns.
The Blaster Master Fighting for Truth, Justice, and Evil Pie since 1979
Idiots using Linux will cause just as many problems as idiots using Windows... Only difference would be that he would then have to be "the answer guy" for 500 linux newbies.
Denying a user access to DHCP is not a catch-all solution. Eventually someone will be smart enough to figure out how to set up a static address for themselves, or more likely have a friend do it (seeing as anyone who knows how to set up a static address knows how to protect their system). To truely take control, you'd need the ability to turn their network port off at the switch level.
If you are not allowed the authority to do this, you might as well give up now. If you are, keep a handy CD burned with Avast! or AVG AntiVirus Free Edition, a free firewall like Sygate Personal Firewall or ZoneAlarm, and malware removal software like AdAware, Spybot S&D, or MS AntiSpyware beta around on a check-out basis for users to clean their systems. Make it a written policy that unprotected systems that are infected will lose their internet access until they are clean and are proven to be protected.
Never look down your nose at others. Someday, someone is bound to see your boogers.
we just made usage of Linux compulsory.
Did your school also provide students with hardware to replace hardware that's not compatible with any known free operating system? A lot of the computers that students bring from home contain paid-for hardware whose manufacturer chooses not to cooperate with the free software community.
That's not an easy fix at all. Who are you kidding? If you had to spend less than 5 minutes a week with each computer that's already over a 40 hour work week right there -- and I doubt any solution is that quick. You're not understanding the numbers involved here -- and that's not including travel time, plus being able to meet then on their schedule. Ain't going to happen with student users on broadband who feel it's their God-given right to abuse.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
You have 500 computers, and each user could be a customer for a local hardware/software reseller.
See if you can get a deal on a router for each computer (close to cost). Students who install will probably get few if any viruses. At least you'll help those willing to do a bit of work (they'll probably also have virus scanners installed).
I agree with the other posts - users should have their network drop disconnected if their machine is spewing viruses. They can reconnect once their OS is installed, once they have a virus scanner installed, and they have automatic updates turned on.
Would a packet sniffer like Ethereal help track down the guilty computers?
Just go in there and physically remove them from the network. Take a sledgehammer if you need to visit a second time, and leave a horse's head in their bed if they do it a third time :D
use a ptp network. Yeah, it's a waste, but at least you can disconnect the individual offenders.
That will get them to clean up their spam zombie bots, running on 100mb/s no less.
In large environments its a good idea to deploy some type of QoS. Use basic rules to provide equal resources to each network device if resources are maxed. On the Fly rules can be added to limit virus or other traffic to a minimum in a problem situation. Also in many university networks I'm worked on a basic QoS rule for P2P will also save critical network resources while not restricting P2P usage all together. (not all P2P is bad remember and its not your job to invade traffic privacy until you're forced to)
Let the students fix the problem.
Do nothing until the network becomes unusable.
Then publish the names of the (un)responsible peoples with their respective bandwidth usage.
If you only control the DHCP server, and cannot even force people to use the DHCP server you do not have a chance.
Try to get an old Linux box and set it up as router. Then install PortSentry on the this router. Every virus will immidiately attack the router and portsentry will then cut it off.
This is the most ingenuous solution i've heard in a long time! :D
:P
"License agreement.
By clicking on this button I agree that I
blablabla blablablabla blablablabla blablablabla
blablabla blablablabla blablablabla blablablabla
blablabla blablablabla blabla agree to have my
computer suspended from the [insert network here]
for a week ablablabla blablabla blablablablabla
blabla blablablablabla blablabla blablablablabla
[I AGREE]
"
But frankly, I think setting up their network settings to have a "babysitter" firewall as the gateway is much easier. Then you can filter those packets as you please.
Wait, why not do both?
You could implement a (hopefully automated) means of identifying a compromised machine. A single PC on listen-only mode with Snort -- perhaps with a few Nessus scans -- might do the trick.
Once you have monitoring capabilities, you can get to work on responses. You have a few options, depending on the available resources:
-- Put up a public notice somewhere (on a webpage, network status screen, whatever) indicating that the current network outage is a result of Joe's ineptitude. (ie use peer pressure to keep users' boxes clean.)
-- Send an email to the netadmins to have Joe's network access restricted. If the detection mechanisms are reliable, you could ask the netadmins to automate this facility.
-- Provide a facility for end-users to monitor their own recorded state. This will help those who don't know they've been compromised and/or want to make sure their network connection doesn't go away.
When disabling a user's access, it would be ideal if they could retain some limited connectivity so you can feed them a "You've been hacked" webpage -- ideally with some patch download links. Depending on your local network infrastructure, this may not be feasible, but if you can move a compromised machines to a seperate VLAN with heavy ACLs, or simply QoS non-essential network traffic into the ground that'll help when end-users try to fix their machines themselves.
Comment removed based on user account deletion
"Keep in mind that I'm doing this on a volunteer basis..."
Doing what, exactly? Not being able to deep-six, jettison, quarantine or smack [ab]users of your computing environment doesn't sound like a big job.
-- often wrong; never in doubt
I'm assuming that you can detect which computers are flooding or somehow clogging the network (this can be done without viruses too, of course). How about limiting their bandwidth to, say, 100kbit/s or less if they trigger some preset criteria? That way, they will be able to do whatever work they need to do and they won't bother other people too much. If they don't mind a slow computer, then they shouldn't mind a slow connection either.
On the other hand... you do have some responsibility for (cracking) attacks emanating from your network, so shutting them off is not that bad.
see a Text Widget
While I'm a pretty staunch Linux advocate, this seems a little extreme. From the average users' perspective, it would be akin to a school refusing to support any non-Windows computer because it's too "obscure" and expensive to accomodate. Physicists and chemists may be down with using Linux, but I can't imagine forcing Linux on a British Literature major, or a grey-haired and tenured anthropology professor.
If you really have no real control over the network then I'd suggest running a propaganda campaign warning of a virus that is rapidly going around that is wiping peoples' drives and their silly history-of-art dissertations.
Stick up flyers and new ones each week until people start _thinking_ about their security. People use social engineering to hack so why not to protect?
It really depends on how much you have control over.
/30 network. The only host they can talk to is their default gateway. It's a major infrastructure change and it eats a lot of ip space, but its worth it if your network is chaos.
If you live in Cisco land, and you have switch/router access, you can use "private vlans" to stick every client on its own
There's a slick product called Perfigo that was bought by Cisco that will put new clients on a 'quarantine' vlan while they get scanned by Nessus. Once it determines that the client is 'clean', it'll change their port's vlan so they're on the production network. Otherwise they get stuck on a vlan that can either do nothing, or limited to get virus updates or whatnot. It's rather slick, but it's bucks (>$20,000).
If you have enough of an understanding of vlans, switches, snmp, dhcp, and nessus, you might be able to roll your own for cheap.
If you disable peer traffic, (ie all traffic must be to or from the router or a local server) then the local traffic won't blow out and infection won't be as rapid. Then you'll have a containable mess.
I don't know what peer requirements / preferences there would be, but it should be possible to handle most real requirements while still sensibly filtering.
-- All your bass are below two Hz
Here is the solution:
Set up a kill bot. Let it search for unupdated computers, and then, taking advantage of old vulnerabilities, remove the machines from the network by writing over the hosts file or something. Make everybody sign that they understand about the bot's existence before they can connect to the network, and you're in the clear.
Of many possible technical & organizational approaches, which you employ depends on what is your goal.
1. If your goal is to be a nice guy who doesn't bother anyone and gets all your studying done, then the most practical technique is to quit volunteering.
2. If you're a music or poly sci major who is not really interested in network administration as a career ... then cut your losses ... this sort of volunteering isn't really helping.
3. But if your goal is to get out of college with something helpful to put on your resume, then treat this like a professional opportunity! Show that you can do a top-notch job of network adminstration by learning the techniques, putting in the time including the hard-nosed ejection of malefactors, and allowing for that time in your study schedule.
After all, when you get your diploma, how many of your competitors are going to be able to say, "I managed a 500-node network, achieving X% of whatever metric most impresses employers.Given the choice between someone who got all A's and someone who accomplished something useful while getting decent grades ... who would you hire?
--- Attorneys Assisting Citizen-Soldiers & Families -
It sounds like your hands have been tied. I urge you to first seek more authority to demand that users install antivirus software. If the powers-that-be refuse to grant you the power to enforce that rule, your only solution is a social one.
Whenever someone's computer brings down the network, publicize his name. Find some way to make his neighbors hold him accountable. Believe me, it will happen. It won't take too many hazings (and rumors of hazings) before people shape up and install antivirus. Most people know about the need for antivirus, they're just too lazy and think "It won't happen to me." So motivate them.
Are you crazy? First thing I'd do is implement bandwidth charges and make sure everyone calls me Sir. BOFH them into submission....
So long, and thanks for all the Phish
I think you might want one of these.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
I used to work in a similiar environment. We set up Netreg - unregistered machines can only access a website with a form explaining the terms of use and with links to AV software and patches. By clicking on the agreement they consent to having their port disabled if they are found to be in violation of the policy (i.e. if they are flooding the network/spreading viruses). We set up Netdisco (http://netdisco.org/) to handle the actual disabling of ports. For awhile we had 3 categories in Netreg, unregistered, registered, and infected. We would move people found to be infected into the infected category which put them on their own restricted subdomain that could only access a "YOU ARE INFECTED" page with cleaning tools and info on how to get help from us, but it was a nasty cludge of a hack in Netreg to make this work and we ended up giving up on doing it this way after having lots of problems with it and ended just using Netdisco to disable them.
It's not the perfect solution but it did a fair job while I worked there.
> Ain't going to happen with student users on broadband who
> feel it's their God-given right to abuse.
if you're taking notice of what students FEEL is their right, then you're starting off on the wrong foot right there.
Temporary suspension for a first offense -- enough to get their attention.
Ban for the semester or the academic year for a re-offense. If they whine about needing the network, direct them to the public computers which are presumably locked down to the point where even idiots should have some trouble spreading their idiocy, and which should have sufficient software for academic purposes -- e.g. word processing, typesetting, compilers, graphing, et al. No exceptions just 'cause their parents are rich and spoil 'em silly.
Generally speaking, it's extremely likely that your school's network TOS prohibits assorted forms of abuse of the network. Participating in DOSing the network should certainly qualify, even if by gross negligence, especially when caused by willful ignorance.
Only the dead have seen the end of war.
Had this in tradeshows for years. If you cannot control both Layers 2 & 3, forget it.
You need to AT LEAST be able to login to the switches/routers to read MAC tables at the instant there's a problem. ARP would be nice too. You need make no changes, but read-only in non-negotiable. Otherwise give up the job.
Once you have that, you can perfect the steps to find out what's happening when it's happening. THEN you may use whatever eloquently violent steps others are suggesting.
A b/w mgmt appliance would also be a smart investment, they can provide unusual evidence that's remarkably useful. (We'd look at the top talkers, when TCP sessions >800/5 min, we'd know we're lookin' at a naughty person.)
If your responsible for an improvement of the situation, and you're not given the tools, then resignation is the only course. Sticking it out with your hands tied is pointless torture: you'll never get a break, and the torturer will get tired.
How about... Get a new job?????
I'd say you probably don't get paid enough to do that.
<overrated>Insert Sig Here</overrated>
Make it so each switchport that has a desktop connected can only communicate with the switchport with router attached. This will prevent PC-to-PC infections across the LAN, unless spread by email or some other means. The rest of the battle you will have to fight with strict policy and good user education.
Quarantine VLAN !!
1) Virusscanner on outbound mail, detect a virus -> Quarantine VLAN
2) Scanner for logfiles, for suspecious activies, if so -> Quarantine VLAN
The VLAN holds in NO INTERNET ACCESS at all. The users get IP through DHCP, redirecting request to a DNS that answers to every request with the same IP. The IP runs a webserver with a page explaining the problem.
Takes a day or so to put it all together, but will save you a LOT of time.
Also, from time to time there are 'vunerability' scans on the network for detecting people not having patched. Run those when available. Put all ports of the people to lazy to patch to the VLAN to. But put on the webserver a download option for the updates, and a form for questing to remove them from the VLAN.
having worked for a university where they had to manage some 30000 people, just about all of whom had computers, the solution is basically the same thing everyone here is saying. There is very active monitoring several levels deep into the network. If a computer is sending out crap and flooding the network or otherwise being a PITA, it is disconnected. The port is just automagically shutdown and a note is made in a DB so that when the call comes in to the hell...help desk, the poor slave... technician knows what it's about and can direct the user to a place to pick up a CD-R with the "Cleaner of the Week" for whatever virus it is this time. Repeat offenders have a very rough time indeed getting back on the network. In addition, the dorm buildings each have a *psuedo* router. I'm not exactly sure who makes it (I wasn't in that part of the staff, I was on the IT team for some scientests), but the joy of it was internal connections are fine, outbound from the dorm connections get QoS'd to hell and back again.
One side note, when you do start pulling the plugs make sure you've got the following lined up.
1) Management authorized you to have that kind of power. In writting.
2) Buy a weapon. Seriously. I kept a live blade sword in plain view behind my desk just in case. Some of these college students / scientests are friggin nutz.
3) Stock up on some booze. Patience can be easily recharged with the right liquid beverage ^_~
hth
Implement a firewall and a throttler and/or packet management. A single Linux box might do the trick (though it'd possibly be slow depending on the number of clients).
Block all incoming ports for clients (if they're on NAT, they don't need it for 99% of functions). Block any outgoing ports 1024 that aren't 80, 21, 22, 8080, 3128, 110, 143, or 119. Most of your problems will go away.
The only people who will bitch will be P2Pers and gamers.. and jeez, they can get their own connection if they care that much about that.
Sell cheap preconfigured Linux pcs in your school store. Macs with OS X would not be a bad option either for students. I don't think any student would need more than a Mac mini for $499. Add more variety to your network. Try to get kids from using Windows.
Give people help in converting there computers over to LINUX or encourage mac adoption. IOts my understanding that you can run WINE and still run most windows progs on linux. The problem with linux is that it can be a bit scarry and user unfriendly for average users so if you helped people switch then that would help a lot. A program that offered trade in value on current machines to buy macs would be helpfull. Mostly if you give people the right infromation in they waqy they can digest it it will help as far as getting the users to go along with it. Also mabye a site licence for some sort of really good virus protection and require people to use it in order to use the network.
411 Y0UR 8453 4R3 8310NG 70 U5!! -NSA
I forgot to mention, we used ettercap to detect attacks.
Ettercap:
http://ettercap.sourceforge.net/
Netreg:
http://www.netreg.org/
Netdisco:
http://netdisco.org/
A. That won't fix the problem - 3 strikes are way too many. Assumming there are 100 people on the network who are problem causers, you will have up to 300 network issues until the problem is "fixed." And you will have 100 very pissed off kids.
B. You will scare technophobes even more. Usually, avoiding viruses is not entirely intuitive until you have some experience with computers.
C. You are punishing the wrong person. The student did not write the virus, nor did he put it on his computer on purpose.
How about writing this, in big letters, on the introduction pamphlet to the students:
"for every virus you get, I shall kill you."
Have you figured out exactly why a few infected computers is bringing down your whole network? I could see if they are scanning local subnets, you would have a lot of broadcast ARP packets. If they are scanning remote network IPs, you may be filling up a cache on the outbound router. Are you sure you don't have a few people just playing with NMAP? Is it inbound traffic or outbound? Identify the nature of the traffic when the network implodes, look for a pattern, and see if you can mitigate that. Use ethereal for that.
This is a *switched* network isn't it? Hopefully yes, and with a firewall also. I really can't see why someone would need inbound tcp/135,137,138,139,445,1025 or udp/135,1026-1029 nowadays. That would prevent malware that is not spread by email or Explorer. I won't recommend you dictate the browser or email client people use, but it's a possibility to have a outbound web proxy not forward any requests from IE.
You might also want to look into snort, you could at least have it alert you when the problem starts, or shut down ports, but sounds like you have not had much luck with that. Note rather than drop people off the face of the earth, at least make sure they can get to antivirus sites and microsoft updates. This is tough without access to the infrastructure but would improve things.
Another suggestion is if you do not have alot of room to room traffic, and you do not have a 100mb conenction to the net, configure all ports to 10mb. At least that way it takes more than 10 users to flood your 100mbit backbone. And users accessing the net are always throttled by your outbound connection so they won't know the difference.
I assume you volunteered for this because you like like this stuff. Note that if you *did* spend more time on this problem than your schoolwork, and came up with a solution, you might not even need to finish school.
Wow. So, about half the responders have said "Don't do this job--you should quit." The other half have said "pull everyone's plug at the first sign of trouble and never let them use the network again."
Which are, respectively, the most-unhelpful and second-most-unhelpful possible answers to the question.
Yeah, it's a sucky situation--he gets it. The underlying structural issues aren't his fault, and he can't make them go away. He's asking for some level of PRACTICAL suggestion that might HELP the situation. He's asking if anyone's encountered something similar. He's asking for USEFUL advice that might MAKE THINGS BETTER.
I don't, frankly, understand the level of scorn being heaped here for someone who's willing to do a difficult and thankless task, not because they like it but because they can help.
- start with some scan-tool for scanning unpatched systems, kick these off the network till they install SP2 and clean their machines
- use tcpdump arp to scan for mass ARP requests, if one hosts scans the subnet it's most certainly infected -> kick it off till cleaned
- you could also extend the scan for connections to port 25 for catching the mailing viruses
If its possible to detect who the offender is, put their name on a webpage and let their dorm mates solve the problem.
Make sure everyone knows who the infected machine belongs to. Measure the number of offending packets and explain why this is making the network slow. And then give out their room number.
It would also be good to find out who got infected first.
I suspect intelligent college students will find some creative way to provide the proper attitude adjustment. The problem should solve itself.
Personnally, I would disable the Internet connection from any computer that spread virus and wait that they came themselve to the sysadmin to get their connection back.
I would not reactivate the connection as long their computer is not clean. By the way, it is not the responsability of the sysadmin to clean the computers.
I would also make clear that if a user is often responsible for virus and don't care, that his Internet connection might be suspended for a significant period of time (at least one month) and made it known publicly.
What would be really helpful, is to have a paper that people must sign to get access to Internet from their student room. This "contract" would states that neglecting to take appropriate measures agains virus, trojans or similar, or not caring about computer security can lead to permanent suspension of the internet connection without reimbursment.
Many Universities are doing something like that.
Use remotely managed switches.
;-)
When a system starts flooding, identify it, then disable the port on the switch.
"Hi, we disabled your network connection because your system is infected with a virus and was attacking our network. We will re-enable your network connection after you'll clean up your system. Have a nice day."
Very effective.
Start portscanning, and when people have virus ports open, send them notification. If the ports aren't closed within 3 days, unplug their room from the hub. Don't plug them back in until they've proven to you that the system has been disinfected. If they claim to need an internet connection to do that, direct them to grisoft.com and give them 30 minutes before unplugging them. On a 100mbit, that should be more than enough time.
It should be pretty easy to set up a script to portscan the network and e-mail you an alert when something bad happens, and then set up a cron to invoke it.
I'm afraid you have to be an asshole about it. It won't take long before they get the message.
If you believe everything you read, you'd better not read. - Japanese proverb
Make public who got banned and how often. These guys will start to take care of their security if they get questions like "Surfing porn again, Dude?" and "Why did you get banned _again_ this month? Didnt you just requested access again?"
Others will get aware of the issue too and might be more careful.
If you have a managed switch, sounds like you do, set it so that the computer can see up but not around, they can see the reast of the world, but do not see others on the switch. NAT all the boxen as well.
md5sum
d41d8cd98f00b204e9800998ecf8427e
Let the students sort it out... Talk to the people and by talk I mean knock on the door and talk to them. Make a list posting the room numbers of the people who are responsible for the network problems titled: The people at these room numbers are responsible for the outage at x date.
For a start you can make sure that they are all using Firefox. Maybe disable any IE usage on the network? That's what I would do. Build a script that sees IE is being used and sends them to www.getfirefox.com no matter what url they are typing in/ clicking on. This should at least halve your problem.....
rhY
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
You have no control and no authority. There's nothing you can do. At best, you're a paper tiger. At worst, you're a scapegoat the higher ups can blame when everything goes to shit because there really isn't anything you can do to stop them.
If I were you I'd hand over what little power you DO have over the situation and distance yourself as much as possible from the problem.
Best would be to physcially disconnect their jack from the network. Not only is it much easier, but its garunteed hackproof (Unless they can lock pick into the router room to reconnect their network connection, and if thats the case you have a whole lot more problems than viruses)
Simple:
1. Isolate Student machines by moving to their own VLAN
2. Have Student VLAN pass through firewall that limits access to specific traffic and limits total bandwidth for that network
3. Clean up machines on faculty and staff network
4. Sit back and totally do not care how screwed student machines get
Less Simple:
1. Isolate student machines by moving to their own VLAN
5. Have Student VLAN pass through something like these devices http://www.bluesocket.com/solutions/family.html (or build your own http://www.packetfence.org/). Make yourself popular by setting scans to require machines be clean and have up-to-date Virus and Firewall protection before assigning IP address to client (block access to manually assigned IP addresses).
6. Clean up machines on faculty and staff network
7. Lock your doors
My advice, pack it in -- you're in one of those "responsibility without authority" ratholes that has no exit.
At UB they have disabled ping. And also setup a program similar to nessus
Open up port 22 on the offending users. 22 caliber.
Old people fall. Young people spring. Rich people summer and winter.
To handle viruses on a network you need control.
It is impossible to handle viruses on an uncotrolled network.
Try using public humiliation. Some combination of the following might work:
Add a server "next to" your dhcp server that can passively monitor for viruses, etc using things like honeyd and snort. An couple of addresses selected from your dhcp leasable space would work well, too - if you are leasing out x.y.12.2 to x.y. assign to honeyd. Then you can do several things with that info, manually or using scripts. Create a web page that shows which MAC addresses are infected with what. The public humiliation of being p0wned by some lame virus will cause some male students to fix their machines, it may cause other students to ask for help. Or change the dhs pameters for dns servers and/or external default ga
While I'm a pretty staunch Linux advocate, this seems a little extreme. ...
Make it a little creepy for them:
Tell them: "If you got banned three times because of virus/worm spreading, you will only be allowed to use net access with a secured linux machine."
They will take care then I guess
</BofH>
As a crouching paper tiger, look out for hidden paper dragons.
This time, it's retaliation for being treated poorly as geeks? Or what?
By getting their machine infected, they've autorized their computer to accept new software. So install new software, mainly the OS. There's a few nice scripts out there that automatically convert machines to Debian or FreeBSD (Debianize / demonize).
Then have fun with it, each week pick a diff iso to format the machines with.. one week knoppix, the next ubuntu, the next morphix, oh the fun.. for weeks!
-- Robi
Anyone that's smart enough to change their mac address, should be smart enough to keep spyware and viruses off their system.
Also my school used to require that students REGISTER their mac address in order to get access, and the switches / dhcp server would only allow registered macs in.
asumeing you know who's computer it is. i imagine you know what room its in etc... email all the other users of who and what room their in(othe contact info, ie phone number etc) , that their neglagance is preventing the network from operating correctly. if its soo bad emails dont work, time to start posting flyers... or somehting like that. point is. inform all the rest of the users who's responsible for it, and where they can be found... the problem will solve its self ^^
--The Titanic was built by proffesionals. --The Ark was built by Amatures.
Good. Each time a computer is infected, just DHCPit out of existence. That oughta make them clean their act real soon now...
once you find the pc that is causing the problem just shut off their network port on your switch... (high level of pissed offedness on the client end) or... move the hosts giving you the problem to a vlan that only has a read only share on a server with the needed av software.. (or get crazy and script out a nice webinterface to it) users can download patches, av software, etc.. once they are patched, let them back on the vlan with access to the net...
sig goes here!
I would threaten violence, myself, and I'm a Quaker pacifist! Actually, much safer would be to shut off their network access. If they can't keep their machine clean, why should it be allowed in public?
-russ
Don't piss off The Angry Economist
You should be able to make the dhcp server give them the address of some linux box as the primary gateway.
With a bit of iptables goodness you could route all their web requests to your own server and display an informative page.
Their virus might still be spewing out traffic but it wouldn't route onto the internet, and by giving offenders private ips you could stop them hitting other local machines.
if the problem is lack of information, clearly you cant teach them all about security (500 is a lot of people). however, i think that there may be 500 slashdot readers willing to put into email contact with individual tenants to help them secure themselves (or at least bombard them with linux propaganda)
If you can.. i don't know exactly what hardware you have but it you can.. Use vlans.. have two primary vlans (the network) & (the morons) when you find a computer that is infected move them to the "morons" vlan and have your routers have some horific bandwith setting for the "morons" vlan.. you know like 10kbs or some thing.. there for they can't yell at you that you cut them off you are just limiting their ablity to infect other users... let them know that once they fix it they will be moved back into the "normal" vlan.. if you have the right hardware it wouldn't take that much to set up... if you don't have the right hardware it is quite imposiable
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
How about requiring that every computer be hooked up through a NAT device? It would kill casual gaming and the only people that would do a DMZ are more than likely the ones that are smart enough to have everything patched. This would stop the spread of viruses as every few pcs would be effectively isolated from the lan. It would also kill campus filesharing which I can guess slows down the network considerably.
Enforcement is simple, they bring the NAT to you and you write down the MAC address, and do MAC filtering. This isn't feasable for this semester, get the Powers that Be in with this and make it a requirement for next semester.
Step 1) Configure two separate subnets with QoS sharing the bandwidth equally between them.
Step 2) Place your computer on network A.
Step 3) Place everyone else's computer on network B.
Step 4) Unplug the phone.
In addition to the technical risky-port blocking solutions that others have suggested, I have 2 non-technical solutions. 1. As another poster suggested, have a sliding scale for how many days you are kicked off the network after bringing it down. First offense, 1 day and the standard lecture. Second offense, 1 week and a heavier lecture. 3rd offense, 1 month with no internet. 2. SHAME. Every time a user brings down the network, post his or her name on the bulletin board explaining who was responsible for everybody else's internet going down. Or maybe a big sign (a scarlet "V" maybe) next to the door of the offending user.
And the problem is that the author is a sucker.
Would you volunteer to cut the grass around these same student dwellings if the housing authority insisted that the grass only be cut with scissors?
You apparently know whose computers cause problems, yet are in a work environment where you are not authorized to disconnect those computers.
You have five choices, in order of most to least pleasant:
- Insist on, and receive, authority to disconnect problem computers at a time and duration solely at your discretion
- Quit
- Disconnect problem computers anyway, and let them fire you for not reconnecting them.
- Acquire a hammer, and hit yourself in the head until you lose consciousness
- Attempt to administer the network with your current level of authority.
Actually, there is a sixth option which involves scissors, which fortunately are more effective on network cable than on grass.
paintball
You're in a bad position. You don't have enough time or resources to deal with this properly. So make your users help you out.
If there's a public forum where you can post information where it will be seen, use it to point out people who are bringing down the network. When the network goes down because of some virus or worm, post a network status update that goes something like this:
"The network outage on April 19th, 2005 was caused by a MegaVirus infection in Jack Smith's computer. You can protect yourself from the MegaVirus by downloading this free virus scanner [include link]."
If Jack keeps showing up in the announcements, his neighbors will get pissed off and egg his car. At the very least he'll get mocked.
Make your own Ultimate windows boot CD, give them out and have them run Luke Firewalker!
Add lots of dire warnings about how "YOUR virus-infected machine is ruining things for everyone".
There's absolutely no point in cleaning the virus off if the user doesn't patch the system. At the height of the Nachi outbreak, a machine would be reinfected before Stinger was finished checking it. Your users will pass the virus back and forth between themselves continuously. If you can't make them patch, then you are, as has been mentioned often above, doomed.
This arrangemnet is a lot of work to set up, but it might be worth it in your situation. It would look good on your resume, if nothing else :-)
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
if their computer is one that has been used to spread a virus due to not upgrading software or just stupid user syndrone, cut them off.
:-) if i found any computers with problems being 1+ month outdated, i kicked their system for a week or until they properly bitched and i bitched back.
plain and simple, say nicely and politely, since you are not taking the necessary procautions to protect your own system you are endangering all systems on the network and the network itself, and therefore your use of the network is suspended (either until futher notice, for a set amount of time or until they prove they know how to protect themselves) -- you choose. i personally like the time limit thing along with telling them to prevent this in the future, learn proper procedure on how to protect yourself from viruses.
sometimes its the only way to get through to lazy ID-10-T users, hit them where it hurts, and cut them off -- as there actions cause EVERYONE to be cut off by not protecting themselves.
tough but has worked for me in a smaller environment (50 users) -- i got all to properly update each week -- or else
Mike
I heart the RIAA & MPAA, im sure its mutual...
"If you run Windows, and don't have current antivirus, you can't use the network."
Bradford Networks has a SuSE Linux-based system of network policy enforcement. We use it at Bloomsburg University and it's pretty well eliminated our ResNet virus problem.
What exactly is your problem? Do the viruses impact network availability? If they don't, why do you care?
You really should develop are more professional attitude and look the other way, like most ISPs do. You're learning what they already know: it doesn't pay off to hunt down infected customer PCs.
If your ethics don't permit this, you should concentrate on detection, try to script as much as possible, and encourage users to rely on local help (for example, people on each floor who help their neighbours). If you can get away with it, wire your network as if it were a honeypot, and conduct security research on a real network. Interesting results are practically guaranteed, but it's also very time-consuming.
A very simple thing to do is go and download Software Update Services (SUS) setup a local mirror and distribute the client along with a small document helping everybody set ip up. Having done that you should probably make sure everyone gets the message that if they dont set their auto updates properly and they get infected their connection will be denied permanently! (it doesn't hurt to exaggerate penalties to users) It's also a good idea to run Nessus and maybe hfnetchk or M$s base security analyzer(?) to find any rogues out there. As a final suggestion, try using Ntop to track down infected machines quicker and isolate them.
The student co-op where I lived had around 150-170 machines on the network at any given time. We required each user to 'register' through a php form on the local administrative box. Until the user had registered a given machine (mac address) we redirected all web traffic to the 'you must register to use the internet' page.
We generated id keys for each house member ahead of time and required that they have this key to register. When the user came to get the key we gave them a quick overview of what they should and shouldn't do and introduced them to the software cache on the local network (free AV software, firefox, ad-aware, etc..).
Once the user had the registration key in hand they could go back to their room & register their machine in their name (or any number of machines), we then cleared that MAC address for access to our dhcp server.
The benefit of forcing registration is that we knew who owned each machine and where the person lived. If any virus or trojan was bad enough to endanger network we could go to the switch for that person's floor and pull the plug on their connection.
Alternately if a machine on the network started spewing virus payloads we could just revoke dhcp access and boot the offender off the network - we didn't have to worry about notifying them of virus infestations, we could wait for them to come to us saying "my internet doesn't work, can you fix it?"
1. When you detect virus activity from their system, disconnect them.
2. When they ask to be reconnected, tell them they must ensure that they have removed all viruses. Give them free anti-virus and anti-spyware software.
3. Don't bother to check their computer; you don't have the time. Just charge them a $5 reconnection fee each time. Make sure they are aware that once the network is turned back on for them, if they have a virus, it'll switch off automatically again and they'll have to pay for reconnection again. If they want to get an expert to look at the computer, that's up to them to sort out.
4. Use the money collected to buy anti-virus and anti-spyware licenses, better network firewalls, and so on.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I'm a student at the University of Waterloo (Ontario, Canada), and they have a simple solution.
When you get to residence, you sign a form that says you agree to monitor your computer, keep it clean of viruses, up to date with Windows update, et cetera. The terms are made very clear in it. No agreement, no use of the university network.
On your first offence (banned p2p, virus, anything like that), your network drop is disabled until you pay $25 (Canadian dollars; cue jokes about 2 cents USD) and sign a form acknowledging what you did wrong and that you will take action to avoid it in the future. In addition you have to clean up whatever triggered the disconnect in the first place.
Second offense? Disconnected for the rest of the term. That's the end of that.
Hope it helps!
Join the Empire! http://www.empirereborn.net/
So you're in a university...I would like to think that means you're surrounded by smart maybe even slighly geeky people.
Send out e-mails to everyone to whom you administer network access and ask for some assistance. (You should already have everyones e-mail addresses - if you don't, get them so you can inform everyone of network changes.)
Doing your job the best you can as a volunteer may be impressive, but running a small team of volunteers and doing it better is downright shocking.
It seems to me that there is an awful lot of worrying about what the students needs are without really considering the big picture.
Yes it's valid to say they have work to do and that unplugging them is unfair to them, but also consider the impact that offending users have on the rest of the students.
Take a poll and ask the students if they think that offending students with virus-laden computer should be unplugged from the network. Explain the situation that even a few compromised machines can take down the network.
I bet the answer will be an astounding "Yes, unplug the jerks." but you won't truly know until you ask them.
Students have a reasonable expectation that their network will be useable for their classwork etc, but by the same token they have a responsibility not to interfere with the right of others to use the network.
If you show them how to prevent such issues, and they ignore it, suspend their network access. They will start thinking a little more when they realise they won't be allowed to use the network/internet if they don't protect their computer.
But the problem is these are students and they have work to do.
So what? Crap happens...virus ate your thesis, power went out, printer ran out of ink, blah blah blah. Thing is that if you are a responsible person you have contingencies in place to minimise or eliminate the impact of such incidents. If the work is important, you keep backups, spare ink cartriges, update your antivirus, OS, apps, etc...and most importantly you don't procrastinate to the point where you are in crisis mode. If you don't do all of the above then you should be prepared to follow Murphy's Law. If a mishap is unavoidable, you could be granted an extension.
Thing is, it is standard practice for net admins EVERYWHERE to pull the plug at their discretion should your computer be found to causing network disruption. Taht is a standard condition of almost all terms of service. My ISP would knock you off very quickly should they discover an open mail relay, ping flood or other unusual level of activity, and I pay extra for business-grade service. I agree with other posters here--this guy should put in some F/OSS tools to help manage these problems, and immediately terminate all network connectivity of infected machines ASAP.
"I have work to do" be damned. Seriously. Part of growing up and going to school is to learn--and people have to learn the consequences of their actions or inactions--that's life. You have to keep your house clean, pay your bills on time, obey the speed limit and traffic signals, etc. If you don't there are negative consequences. Same goes for PC use: ignoring the TOS, not updating your machine, downloading comet cursors and talking gorillas and chat icons and P2P warez is just inviting trouble. Users who repeatedly do those things despite warnings deserve no sympathy at all and should recieve all the wrath the BOFH can deliver.
Vladinator made an insightful post?!
Vladinator, from Geekizoid fame?!
Easy,
Hand out knoppix CD-ROMs to infected students
And have a wall of shame with the names of everyone infected!
I am the unwilling control for my Origin.
Start a virus business. Make money.
Make it mandatory at certain time for everyone to attend a meeting, schools have places where you can lecture 500 kids. Explain about updating, common viruses & how not to get them, at meeting explain that they need to have computer on at certain time in future. Nessus scan everyone who has major faults (out of date computer) pull off the network, those who werent on give a second chance. Same with those that missed the first meeting, give them 1 extra chance, if they dont do anything yank their internet. Firewalling p2p would help also.
Disconnect everyone at the start of every semester. Reconnect users who pay you $10.
paintball
1) Find someone with a missing finger to pretend to be one of your users. Have him put on a fake finger with some fake blood in it. Get some thuggish looking friends to publicly assault him in front of your users and 'cut off' his finger with some bolt cutters.
2) Skip all the pretending with fake blood & fingers. Just hire some goons straight off to 'educate' your users on network security.
Assuming that clients are on a switched network, move the infected systems to a quarantine VLAN whose gateway IP is the same as the net they came from, but whose outbound requests are NAT'd instead of routed.
Then, use IPTABLES on the gateway to redirect any request on port 80 to a page that says, "You're infected--clean your system!" Maybe even provide them access to the tools necessary to clean their system via that same webpage.
1 Get a computer nanny to block porn sites.
2 Block all P2P programs that are popular.
3 Give each computer a set amount of band width and notify the owner when they excede this and tell them to run a virus scan.
... in installing antivirus software as they can only detect OLD viruses ! ... in installing anti ( spyware, mailware, spamware ) in operating systems that support automatic script ( or anything ) execution.
You all know what OS I'm talking about...
...are tied in to your question/post: Responsibility without authority = insanity.
Consider it a learning experience and change it, either by demanding sufficient authority to enforce network policies sufficient to keep it operational or by withdrawing your voluntary assistance.
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
Disconnect them and have them pay YOU for a support visit to get decontaminated and reconnected for enough that it's worth YOUR time to do it. Present that to whoever you've volunteered your time to as the only workable solution... and either walk when they say no, or watch the problem fix itself as the word gets around.
I also don't have any control over the network infrastructure itself, just over our DHCP server.
Then, my friend, you are SOL.
You can't do what you're asking with this little control over the network.
Ideally, the way you want to do this is to put every computer on it's own VLAN. That means that every computer has a direct connection to your DHCP server (and then on the other side you can put your gateway's, nameservers etc and switch through to them). Doing this effectively cuts off direct access to each of the computers from each other. Seriously, for an ISP style service where you're providing Internet, it is highly dangerous to allow unrestricted access across the network.
Block every port at the switch by default. Then open ports 80, 25, 110, 21 and maybe some of the IM ports (that's a BIG maybe).
Turn off ICMP. It's not needed for normal users. Yes I know, it's a pain when you're troubleshooting, so turn it on temporarily if that machine has trouble.
Basically, the lockdown has to come from up on high. Locking down a network at the desktop level is folly, and leads to "security by agreement" (which is unenforceable - there's a reason network servers are protected physically). If any one of those desktops is compromised, you're back to square one. If any policies are in place, they must be enforced by the network infrastructure - which you don't control.
My advice - quit this position, and tell whoever is in charge that this can't be done, and that if they want a secure network it's going to take some money.
"And then I visited Wikipedia
We've heard from the:
//gs had a CRONTAB program!). Set their machine up so it automatically, every day, trys to download the latest and greatest updates for the OS, SpyBot, AdAware (or whatever you use), your virus protection program, etc.... The MOST IMPORTANT THING THOUGH - is to always explain what it is you are doing to the person's computer. Don't just dump a bunch of things onto their system. Bring a flyer that explains what it is you are doing and why. Set their system up so they can win and so they don't have to rely on you to be there to make everything function correctly. All of the virus/cookie/ad checking software out there can be set up to function on its own. Some of them (like most virus checkers) have their own scheduling software built in.
1. "It can't be done" crowd.
2. "Be tough about it" crowd.
3. "Go behind their backs" crowd.
and others....
How about this:
1. Get everyone's e-mail address so you can send all of them e-mail at the same time. How do you do that? Ask them to e-mail you - that's how. Of course, disinfect anything they send you because they probably will have a virus or two.
1a. How do you get all of them to send you the e-mail? Go buy some of those blank business card sheets (Avery I believe makes these), print up your message, get someone to help you break them apart, and then just tape them to each person's door. In this way you: 1)Don't have to talk to them, 2)Don't try to force them to do what they don't want to do, and 3)Can do it on your own time (like on a floor-by-floor basis). Cost: Probably about $10.00.
1b. Your message? It should be something like:
Dormitory SysAdmin needs your help!
We need your e-mail address as we
are trying to remove viruses and want
to be able to keep you informed. Thanks!
myemailaddress@thedorms.edu
1c. Put notices on doors leading into the dorm and/or bulletin boards also asking for e-mail addresses. If you can, have someone hand the things out to people as they come in and out of the dorms.
2. Set up a blog where everyone can meet and talk about problems. Use the e-mail addresses to send your notice out about the blog and how to access it.
3. Set up appointments with people to meet with them to show them how to protect their system from viruses, ads, cookies, and other problems.
Ok, let's say you've gotten some responses and want to start to go to other people's rooms to help them out. You want to:
4. Use the scheduler built in to every operating system currently in use (ie: Mac OS X, Windows98se and up, Linux, BSD, Solaris, etc...). For those OSs which are older (although I can't see anyone currently in college using an Apple ][+ or even Mac OS 9.x or earlier) download and bring with you some sort of a scheduler. (Even the Apple
4a. NOW! Here is the important thing! Set the virus/ad/cookie (or VAC for short) to AUTOMATICALLY e-mail you with the results. This too can be done via the scheduler. Give the automatically generated e-mail a special header (like [VIRUS|AD|COOKIE] REPORT FOR ROOM X). There are e-mailer programs for all operating systems which run from the command line. So just make a little batch program/shell script to create your report and e-mail it to you. Again, write it all down in the flyer you are going to give them so they don't freak when their system suddenly starts doing things (like checking for viruses or sending e-mail).
4b. Most virus software's report will read "VIRUS FOUND" and then tell you where and when the virus was found. Write yourself a short Perl/PHP/C/ script which will read these e-mails and sort out which one have viruses and which ones don't have them. Since you made the title have the room number on it - you automatically know who is having problems. So you can e-mail them back and set up a time to go over to fix any problems they might be having. Further, you can produce statistics on where the greatest problems are and post these fi
Someone put a black hole in my pocket and now I'm broke.
Etherkiller
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Also take a look at this firewall-wizards post:
http://honor.icsalabs.com/pipermail/firewall-wizar ds/2004-October/017533.html
The question was about securing wireless networks, but a lot of it still applies.
You should certainly punish the virus writers, if you can catch them. And you should possibly punish M$ for how big of a hole IE still is, even if Windows itself is better than it used to be. But none of that matters.
To use society's resources, you have to follow society's rules. I can go buy any car I want and drive it at 200 mph - on my own track. But if I want to drive on streets I have to follow the rules, as they apply to my actions (hitting things) even when they may not necessarily have a direct negative impact (speeding, driving on the sidewalks) have only a paper impact (licensing, insurance, registration) or only a preventative impact (headlights, brake lights...)
I can also go buy a used car and have the brakes suddenly fail, running over someone's garden. Note that even if I didn't know, I'm still responsible for the cost of that garden, (unless I JUST bought it and can pass the blame to the previous owner) If the brakes were recalled, it's still my fault for not getting them fixed. If they WEREN'T recalled, but should've been, then that's not my fault.
If you're already providing appropriate, simple, free, publicized resources _that they didn't use_ they are being negligent at best. Kicking them off until sometime after they fix it is a MINIMUM penalty for such negligence.
Argueably they should have to pay for the cost of your time to fix their computer (mandatory since they didn't do it the first time) and to repair any problems caused by their problem - and STILL be penalized in terms of being online.
(Personally I believe that a kick-until-fixed first warning is probably a necessary threshold of publicity - but even the second time they aren't listening I think it'd be very reasonable to escalate it.)
To be clear, I don't think it's reasonable in today's world to hold them accountable for anything their computer does. I think it's NECESSARY to hold them accountable for not following your security procedures to defend against it. Which means you're still going to be snuffed by the virus that exploits the OS hole noone has put out a patch for yet - and I wouldn't blame that on the first kid to get it.
I agree with the other posts - you have to get kick/ban/unplug authority, you have to quit, and/or you have to get paid. 1 of those might do...
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
No point beating around the bush - best to nip the whole problem in the bud.
:)
FWIW, in a college I lived in for three years we had absolutely no security for as many as 1000 people, and we never had any significant network issues, despite the constant virii and other malware roaming around.
IMHO, the best solution is to just "shape" bad users down to the slowest speed possible - dialup if your switch supports QoS for it, otherwise just 10 m/bit or similar. One bad user getting disconnected and whining to someone above you could get you in a bit of trouble - but sapping their speed won't be a reprimandable offense, and will curtail a large part of the problem.
And I wouldn't worry too much about being speedy about removing the limits - just tell them the system is updated once a week, and the next update happens to be just under 7 days from whenever they demand it.
Go to the Fortinet web site. A FG100A unit in each dorm, together with HP2524 switches with port-to-port security, or a separate VlAN for each user, will turn the whole problem into a non issue.
Oh well, what the hell...
SHUT OFF their service when their machines get infected/contagious.
Make them come get a CD with virus-removal tools and windows updates on it.
they don't get service until they fix and upgrade their computers. it's their problem, their responsibility.
if they stick to their habits of vulnerability and irresponsible configurations/surfing, too bad for them, they'll have to come to you to get their service turned on ALL THE MORE FREQUENTLY: oh well.
my university disconnects machines right when they go virus-haywire.
ALSO: at least to curtail spyware, have everyone install firefox/k-meleon (etc) AND GIVE THEM AN INTERNET EXPLORER (blue "e") SHORTCUT FOR IT.
it works to get people to go to openings or things of that notion. Send an email with a link to the avast free AV for home users, and tell them to install it. It will update itself and they wont even have to touch it. Find a free program like adware that updates itself, or if they run MS(yes i kow, but some do), make them get the giant antispy that updates itself and protects while surfing. If it's free, they will do it normally. I get the same question day in and day out, "what would you recommend for home AV and spyware?", to which i respond if MS, use avast and MS AntiSpy(Giant). It's free, does all the work, and should help you out quite a bit.
2^n WEEKS of disconnection for the offending user :-)
n being the incident counter (set to 0 on moving in, never reset)
works
But even then, all it takes is a simple exploit + root priveledge escalation to screw the network again. I wouldn't place secure Linux administration in the hands of users that can't even keep their windows virus definitions up to date.
What up with this one for the things that will start. It seems you can find it.' and she squeezed herself up closer to alice's side as she spoke; `either you or your head off.
For the night.
More people will be reproduced along with the instigators victimized. The means to much to teach me when i setup the accounts.
One of the most powerful things in that kind of environment is peer pressure. Make it very clear via email what the problem is and what is causing it. When there is a problem, run some port scanners and identify the problems and the users that are causing the problems. Let the problems persist and send a mass email identifying the users and the nature of the problem along with the fix (yes the email to all will be slow due to the probs but that's part of the strategy). Peer pressure will do the rest.
# 1. Kill every user on the network, once done, you will have no problems
# 2.Install deepfreeze and make each user a password protected work drive where they can store documents
Make them pay you $50-$100 to reconnect to the network for each offense. Either the viruses will stop, or you will become very wealthy! It's a win-win situation.
Since you only control the DHCP server, and can't pull plugs or cut cables...
1. Identify the offending MAC address.
2. Reassign that MAC address to a IP address on separate subnet that can only access a web page on a crappy little 486 with OpenBSD with instuructions on installing the hot-fixes and AV software on the CD that you'll leave in their mailbox in the morning, maybe tomorrow, maybe next Thursday.
3. Publish the names of the residents who's computer is stopping everyone else from getting email, pr0n, WoW, evercrack, whatever.
4. Lock your room, put the stereo on real loud (use headphones if you must), and finish your assignments (or level up your Taurean Shaman).
4. Drop off the CDs at your convienience.
Alternativly, drink heavily before, during, and after any virus related service issues. Oh, and don't wear pants.
i am endorsed for the carrying of dangerous goods, please be giving me your depleted uranium
Take the MAC addresses of your problem children and give them reserved addresses in a blackhole net that has no Internet access. Sure, the smart ones can snag their own static IPs, but the smart ones aren't your problem (and are probably already doing that).
"Nothing was broken, and it's been fixed." -- Jon Carroll
The problem is that they are all running on the same LAN. Which allows for propagation across network shares. Now that I've said that, I realize how much bandwidth it must be sucking for just UPnP.
So the problem is that he doesn't have control over the network enough to make it secure, and he hasn't demanded it, and still cares even though they won't give him control.
Please stop stalking me, bro.
You've got two choices: An all-out technical and political war or simply giving up. The truth is that it depends on your circumstances. If you've got some support, you can come up with some nice technological solutions and have the administration back you up. If you're in this alone, I find myself asking why you care.
:-) Just some words of experience...
If you decide to go for it, you need a policy. If you want on the network, sign here. If you don't like the terms, feel free to get DSL from your local ISP. Depending on your resources, you can have managable hardware and proxy servers which detect port scanning and disable the machines responsible (the actual port, not just the IP address).
Like I said, either go for it all or just drop out. It sounds questionable if it is even worth your time.
P.S. If they say "I cleaned my machine", tell them "Prove it."
Now if only we could implement some of these solutions on the highways and streets here in New Jersey. Even go a step further, how about the walkways at the mall. ;-)
I feel like the highly-rated comments all miss one of the most important points: Once you're infected, running an anti-virus program doesn't fix your problems.
To me it sounds like it isn't that people don't want to have a "good" computer, but rather that they need to reinstall their operating system (and patch, etc.) but don't.
If they're pingflooding you, can't you just configure the switches to drop IMCP? (You can ping over udp quite easily, but it's not known). If they're generating massive useless traffic, filter broadcasts, and multicasts?
Be more brutal with your firewall? Block all non 80/22/25/other-common-important-stuff, and then only open ports on request, for those who need them?
You do have a decent firewall, right?
My UID is prime. Is yours?
If you want to get their attention you have to charge MONEY. Start charging a reconnection fee for computers that are causing too much traffic/viruses, hand out a instruction sheet on how to keep a computer clean, and watch the number of offenders drop exponentially. It's the only sure-fire way to make sure they'll learn, plus you'll have some extra money to spend on either the network or yourself.
I worked at Arizona State University, and here's how they dealt with it:
Every student has to register their mac address with their ID. If any computer registered to that ID spams viruses, all of them get deregistered, and the ID is locked out. Then they have to attend a mandatory security meeting.
Now, they have a piece of software which must be installed on your computer, which does realtime checking of a firewall and virus scanner. If those aren't installed, you can't be on the network.
They lock people out based on mac address. If you change your mac address, sure, you can re-register, but you gotta find a friend who's willing to attend the mandatory meeting in two days when you get his login name banned too.
Another big problem is people plugging routers in backwards. They basically become DHCP servers to the network, and can prevent people from getting real addresses. We had one router take out 40 people.
All in all, I'd say the PLAN isn't bad (other than forcing you to install software), but it sure wasn't good. I won't go into how badly it was actually implemented, I'll just say: IF YOU WANT GOOD INTERNET, STAY AWAY FROM ASU--ESPECIALLY GAMING. It cuts out at least once a week, and they block gaming.
Here's how it should be done:
1) The switches on each floor need to block DHCP offers coming FROM the residents. That's a must.
2) Block RPC ports on all switches, as well as samba shares, and any outgoing email traffic NOT going to YOUR email servers. Allow foreign email on a person-by-person basis... if someone has an email server hosted for them, for instance.
3) Block all other windows services ports. Windows has a limited number of services to attack. Other than RPC, there's 3 or 4 ports that can be attacked. Block all traffic on these--I forget the numbers, but if you do a network scan when viruses hit, you'll learn them quickly. Usually, they're not used by residents... they're like remote administration, etc.
If you lock down those ports for all traffic, and block outgoing packets to standard IMAP ports, I'll bet you'll cut down your problems by 99%. I just hope you have managed switches on the floors.
-=Lothsahn=-
You say you only control the DHCP server. In that case that's the end of your responsibility. Make sure the DHCP server remains stable and healthy. Make those who control the network deal with the problem. There are ton's of solutions to this problem but since you are not really in control of many parts of the network its not your problem.
While expensive anomially based and signature based products do exist, as well as open source applications, you can simply look for one general worm characteristic: large ARP storms. Nearly all worms will attempt to contact a large amount systems with haste, generally above the 15-25 ARP/sec thesholds.
Pipe a simple tethereal arp filter into a perl script. You can measure these rates on a per host basis. After automatically identifying culprits, disable the ethernet ports using an expect script or perhaps the Cisco Perl module if you are running Cisco switches.
Now, this is only useful if you are able to access these switches or convince another party to grant you this.
If you dont even have access to switches, another option is to grant only very short DHCP leases and run a similar script above. For violators, either ignore their dhcp requests, or offer them a lease to some blackhole network that is unreachable.
With either solution, people will complain that they are not able to gain network access. Offer to clean their machines, and put them back on the network. If they continue to behave badly, the punishment will repeat.
While we have long since invested in anomally-based detection systems due to worms, we once had to use the tethereal script for some of the first dcom worms. It was a life saver/network saver.
A quick way to handle the situation you describe is to detect the infection from outside and then shut down (or limit) service to the affected hosts. Sniffing network traffic to assess infections is the most accurate way, but here's another technique. Most viruses are involved with spamming in one way or another, and as such, infected hosts are detected out on the Internet.
What you should do is routinely grab (rsync) a full listing of blacklisted hosts from CBL, DSBL and elsewhere... and then use the grepcidr program to hunt for IP addresses from your network inside those huge lists.
This can be totally scripted. If you locate infected hosts, you can then revoke or cripple service to them one way or another. Examples of crippling would be to reduce available bandwidth (tarpit on a linux router), blocking all but the most essential outbound ports at the firewall. Or you could be more brutal and just revoke their IP connectivity.
I work for a major AV company, so feel free to take this with a grain of salt.
Don't waste your time dealing with the symptoms of these virus attacks. Do something about the source: Insecure Windows-based desktop PCs.
Get your school to purchase a site license for a computer security suite that has an anti-virus engine, anti-spyware engine, a firewall and remote administration. My alma mater is a McAfee customer. They use EPO to manage and push updates to every Windows machine on campus as well as to control the firewall settings. I'd expect that Symantec's offerings are similar.
If your university's IT department has any budget at all, it should be an easy sell. They will quickly recover the cost of the software licenses through bandwidth conservation and fewer support tickets related to infected machines.
What you need is the the right tool for your virus cleanings. Once you delete the virus properly, I don't suspect their computer be causing your network any more problems.
We use Net Squid to do that. Essentially it's a PC acting as a transparent bridge sitting in the middle of the fiber uplink from each dorm. It uses a combination of Snort, Squid , and IPTables. If a computer starts misbehaving, it'll get added to a block list for 15 minutes, which will allow access only to a web page that downloads our site-liscensed copy of Sophos Antivirus.
You control the DHCP server, right? I assume it's a PC and not a router, and I assume the DHCP server has interfaces on each network segment.
//192.168.1.254 and follow the instructions BEFORE calling the help desk."
.253 and .254. Recycle after that. Use 192.168.2 through 192.168.254. if necessary. This will keep infected computers isolated from each other and prevent re-infections in the event of a mass outbreak.
Multi-home the DHCP server. If it's currently 192.168.0.254, also give it the address 192.168.1.254. If it's already multi-homed, just add a new, isolated address range of your choice.
Set the DHCP server to renew addresses every 5 minutes instead of the usual several days.
If a PC is found to be infected, change its IP address to the 192.168.1.x block. The 1.x block will be isolated from the 0.x block and from campus.
Put up an MS-Windows file share, a Mac file share, and ftp site on 192.168.1.254 containing antivirus, anti-spyware, and other security programs for all platforms you care to manage. Also put up a web page with help on using them.
Email all students and post signs saying "Internet not working? Visit http:
The help desk should tell people to "click here where your system is disinfected and wait 5 minutes for a new IP address." Sophisticated users will figure out they can just renew their IP address manually.
A simpler version of the same, but it only works with some OSes - refuse to grant an IP address. The client will default to a set of reserved addresses in the 169.254/16 block. Put an ftp/windows/mac file server and a web page in this network address space, so these people can see it.
A more sophisticated version of this:
The first time you see a MAC address, do the same thing, and on the 192.168.1.254 web page, have a button that says "new computer." Force the user to enter his name and email and agree to run appropriate software, then email him a copy of it. If he ever gets a virus, email him a reminder, and after a certain # of violations, alert someone higher in the food chain so they can make sure the student fully understands WHY he must keep his system clean.
Another "trick" is to give your DHCP server the address of 192.168.1.3 with a hostmask of 255.255.255.254. Give the connecting client 192.168.1.4, and immediately add yet another interface to your DHCP server, this time 192.168.1.5, again with the hostmask 255.255.255.254. The next customer to connect gets 1.6, and so on up to
Disclaimer: I've never actually tried this, but it should work. I have no idea how well this will scale to 500 infected computers connecting all at once.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
First off I work for a CalFirst off I work for a California University Resnet and we're facing the exact issues you are at the moment and are putting together a few different systems to combat them.
r o.com
You really want to let the students know about AVG virus software by Grisoft (grisoft.com). It's free, runs 9X,2k,and XP, uses a low amount of resources and it finds more than Norton usually does. They generally update their defs once a day and defs are pulled from Akamai servers so it's quite speedy. A good one time scanner that finds a lot of tricky Trojans is Housecall by Trend Micro. (housecall.trendmicro.com)
Then since everyone doesn't listen to your advice you want to find people that have viruses. We setup a Linux box running Snort (rules based intrusion detection), MySQL (to dump log data to), BASE or Aanval (log analysis off MySQL data), and Oinkmaster to grab the official snort.org and bleedingsnort.org rules once daily. The system works fairly well and alerts us when user machines are scanning the network.
VLANs. People will get infected and you won't be able to disconnect them immediately so slow the spread by dumping users into VLANs. We will be putting each of our buildings into its own VLAN next semester. You get a virus; you infect your buddies and that's it.
NetReg. NetReg is a user registration system that lets you better track down virus infected machines. It's based off DHCPD and BIND. Basically a student who plugs in for the first time gets a bogus non-routable address with a name server that redirects to your NetReg server. The user registers their computer based off LDAP or SMTP data and their MAC address to user association is stored in an Oracle or PostgreSQL database. This is a great time to force students to read your policies and inform them of Virus / Spyware tools. Once the user registers they are from then on given a valid DHCP address. If the user becomes infected with a virus later on you can put them in a group that informs them they've been infected, and only allows them to surf to websites you choose (like virus companies or windowsupdate.com). We haven't set this server up (it's actually my internship for this summer), but a lot of schools are using it with great success.
Tools Windows Fun:
Microsoft Anti-Spyware
Adaware
Spybot
Housecall.trendmic
HiJackThis
WinSockXP Fix
There's a ton more things you could do, but it's hard to recommend without knowing what type of switching equipment you have. I hope this helps.
Tim Smith - Ramblings from Nerd Land
The most powerfull goal you have here is to segment your network.
You can do this strictly through the DHCP server by using several scopes.
Pass out the following IP's and give your main gateway multiple IP's, or have a machine act as proxy (with multiple gateway ip's for your lan's).
With enough segments, you can isolate problem PC's down to groups of ten or less depending on how you break up your private (or even public) ip's. This will make the majority of others users on your network unroutable to malicous virus's.
Just make sure your gateway (the one with all the .1 IP's for each segment) doesn't route traffic through itself to the other segments.
Gateway = 172.30.1.1, *.2.1, *.3.1, *.4.1, etc....
172.30.1.1 255.255.255.0
172.30.2.1 255.255.255.0
172.30.3.1 255.255.255.0
172.30.4.1 255.255.255.0
etc........
If you have a minimal budget, and your users dont need public IP's, you can buy a bunch of SOHO routers... for about 10-15$ a piece.... 300$ can get you 20 linksys's....
put 25 users on each linksys (with the WAN ports connected to your gateway).... and your users cant directly attack each other (except for the smaller networks behind the linksys's.
If your users have no need at all for direct access to each other... just set out your scope as 255.255.255.255.
192.168.1.1-255 / 255.255.255.255 gateway: 192.168.1.1
now you r users can only reach the gateway and themselves.
As to email virus's, with DHCP you can force traffic to move through any machine you like, and set up a proxy between your "real" router and the network.... that proxy can filter port 25.... looking for viral email.
These solutions arent perfect, but they will greatly slow down propagation across your network, allowing you to respond much faster to problem children without having one bad computer infect everyone else. --VISION
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
Ok,
:-)
This takes a bit of setting up, but when done this is brilliant. If done right, you'll never get a support phone call again, and you can even use the system to ensure that everyone recieves urgent messages, e.g. "A new virus came out today, click here to download & run this patch, and then you will be allowed to continue surfing."
Step 1.
Setup triggers, ideally something like Snort with extra triggers for bandwidth oveuse, large packets/second, too many of packet X, whatever. The trigger stores the IP, and kind of "triggering offence" for use in later steps.
Step 2.
From the IP you have the MAC, as you own the DHCP.
Step 3.
You reconfigure the DHCP so that the offending MAC gets a private IP (which you block, right?), next time they request one, and a "special" DNS server.
Step 4.
You send a DHCP NACK to that IP to force them to release their IP address (+ DNS settings) and re-request them again.
Step 5.
Your "special" DNS server always returns the same IP for 'A' record lookups - a special web server, also with a private address. MX lookups should also always either fail, or return 127.0.0.1, just to slow email viruses down. Now the offender types "www.google.com", but always goes to your special web server !
Step 6.
Your special web server says "Hi user, you have been quarentined because it looks like you have a virus! Download & install this antivirus program, anti-spyware, firewall and patches, and then your PC should be both clean of nasties, and able to use the internet. Once you've done all this you will still need to wait one hour before access is restored."
Step 7.
Provide the stuff they need, as above, on the special webserver.
Step 8.
Verify they have done as asked (at least downloaded the stuff, from the www logs), and if so, reconfigure the DHCP to give them normal access, after an hours ("negetive reinforcement") delay.
Really smart folk can make the returned MX lookup replies in step 5 point to a "special" email server, which runs everything through ClamAV, and logs back to the special webserver. Now the users get the message "You are infected with the XXX virus. Click here to download antivirus, bla, bla". Cute eh?
Good hunting,
Dom
If all you've got is control of the DHCP server, your hands are pretty tied. I would suggest setting up fixed leases and BOFH'ing students into submission. Kill the lease of infected machines, then bring 'em back once the infected system is clean. You don't have to be a dick about it, just bring the system back on at your leasure. Of course, you've got class all day and an exam tomorrow, oh and you're going home for the weekend...
Make it clear in polite, simple terms what the users responsabilities are, what will happen if they don't keep their system clean, and why you have to take the action you do. Maybe put together a standard "so you fucked up your system and got kicked off the network" sheet. Educate as much as possible. Yes it feels like you're talking to a wall. But the users will either evolve (get sick of being off the net) or die (find other ways of getting their computering needs met.)
Some people have suggested Microsoft SUS. You need to be able to apply a group policy, or make registry changes on the remote machine. Since you're not inchage of the domain controller, this is a moot point. Also, SUS only works on XP and 2000, so it may not help all users.
There are some people that if they don't know, you can't tell 'em.
This way, you let everyone else do your job for you.
http://ablegray.com
... just turn off the DHCP server. Most of the problem will be fixed.
1. Require all viruses to be registered with IT.
2. Filter out all packets with the "evil" bit set.
3. Route web traffic through a government-approved Chinese proxy for free content filtering.
4. Require Xboxes for gaming. All the games are coming out for Xbox first anyway. Require all porn to be in magazine form.
5. Repeat offenders will be loopbacked.
Let everyone else do the work for you. Post their names next to the outage. It should pretty much solve itself from there.
Don't know your network layout, but if it's not a totally flat network, try blocking ICMP at any routers as a first step.
PS not a coward just not that much to say
Good ideas. I'd mod you up if you I had the points.
Could you not alter a Knoppix distribution and distribute a copy to each student (hosting a cd image on the network which can be updated with uni specific programs, information, documentation etc... which they can burn their own copy if they lose it) so the only way the can access the internet is through booting from knoppix (and if they do anything daft they just need to reboot) voila! no virus or spyware probs, and you might just convert a few people to using linux too :) ,and give people with infected windows systems a means to fix their computer...
If novirusesfor30days and n>0 n=n-1.
If startofsemester n = n/2 - not quite a complete reset, but it gives hope to freshmen who get a big n who want n=0 by graduation.
Depending on budget and the amount of power you have, you have a few different options.
.exe file that e-mails you confirming presence of an anti-virus program. Let it automatically download and install one with their permission if they don't have it. An afternoon of VB programming can return all the information you need, and is well within the capabilities of anyone in the programming department. Especially with WMI, which is a Windows Scripting language that (IIRC) is built to scan for things like registered virus detectors. Before the user verifies his/her computer limit access to outbound port 80 only. This can be fairly easy with control of the DHCP server; assign those computers their own subnet that's aggressively filtered by the firewall.
First off you mentioned encouraging students to install anti-virus software. Take it a step farther; write a small
If you're savvy enough you can even automate the verification process completely with a custom service running on the DHCP server.
This should work relatively quickly to get most of the student base verified as running anti-virus.
If you've got a budget to make it happen an extra box serving as e-mail and web proxy is a good idea. I'm not sure what the options out there are, but surely there are free e-mail and web proxy scanners out there. Most of them simply disallow dangerous attachment types and let all other traffic through.
When a virus hits you've got a couple options. Very first thing to do is put them in their own subnet at the DHCP server. Like all DHCP-based access restriction you'll need to set the lease pretty low for this to have a good effect. Most worms are programmed to target the local network for a time before hitting the external network; its an effective spreading method that allows it to take over an entire subnet quickly and then hit large address blocks in a short time... by putting them in their own subnet you restrict their effect on other machines.
If you've got the budget for it, consumer grade firewalls to segment your network should limit virus damage and keep malicious traffic contained to small sections. The WRT54G comes highly recommended by lots of network guys I know and can be hacked to run Linux if that's your inclination. At their price they'll cost a pretty penny but as an advantage if you set them up right you can provide wireless access on your current network. A laptop user with a virus can be a bad thing in that kind of environment but hopefully you're verifying them automatically before connecting them anyways...
Of course if you wanted to do it right and had an infinite amount of money, I'd say setup active directory and use group policies to force installation of (free) virus scanners and anti-spyware software. Setup properly that can be a low-maintenance solution but it'll cost a bit of money, time and skill to setup in the first place...
I am disrespectful to dirt! Can you see that I am serious?!
www.packetfence.org is what you are looking for. This is the tool that Harvard uses to do transparent access control and remediation. A similar, but less fully featured commercial offering is something like Cisco Clean Access, or Mirage Networks' system among others.
netsquid should do the trick...
I liked the good ol' days where you had to have a clue to actually get on the internet.
If the users lack sufficient clue to *listen to the IT departments repeated warnings* then fuck 'em, they don't deserve to be on the network.
Seriously. Screw 'em. More bandwidth for the people that actually bother to install & maintain antivirus software.
If you have Procurve 5300's then this may be useful: http://www.hp.com/rnd/pdfs/virus_throttling_tech_b rief.pdf
I work for the residential computing services department of a major university (27,000), and we handle it via a registration process. We lock all new users into a quarentine zone and then force them to patch and scan their OS with our tool. The tool reports the results to us, and then lets them out of netjail. Although it took a lot of effort to implement, the payoff is beautiful. Furthermore, the moment we detect malicious activity on a computer, we throw them right back in netjail.
-----Zephyre
If you have DHCP Control, then bump the infected into an isolation or quarantine subnet. This could also be done with a VLAN if you have access to the switches.
The subnet could have no, or very slow access to the Internet.
It should have a server on it with free AV tools, to which all port 80 connections are sent, and directions on how to get moved back to the free subnet.
How does this help when the problem is locally infected machines ping flooding the local subnet?
our university network got taken down by sasser this past september
to avoid that this fall when all the freshmen come in again, they're implementing a registration system.
first time you plug your computer in and open a browser, you get a page. you have to enter your school username and password. the system records your mac address and checks you for the exploits du jur and an antivirus. if your comptuer is OK, your MAC address is recorded as OK and you're permitted to access the network. If not, you get instructions on how to secure the machine and try again.
...and that's all there is to it.
I wouldn't place secure Linux administration in the hands of users that can't even keep their windows virus definitions up to date.
I was thinking more along the lines of "locked down machine and the user wont get the root password".
Scissors!!!
I would say that this limited access is enough to do something about the problem:
- Determine which IPs (and associated MACs) are spewing malicious traffic (simple enough).
- Write a script that places their MAC in a blacklist file.
- The next time they renew their lease from the DHCP server, issue them an IP in a non-routable subnet.
- When they complain that their "internet is down", read them the riot act and don't remove their MAC from the blacklist until their box is clean.
In fact, $client is asking me to implement this for them.Need a Linux consultant in New Orleans?
I am on a university network, and there was a large virus problem, until the deployment of Clean Access... this requires users to install virus software before they will be put on the main sub-net. They are held in a remediation sub-net until they Update Windows, Install AV software, etc. While there they can only download provided Av software, and access windows update. It can cause a large load on the help desk at the start, but it has increased network reliability by a good factor.
There are three forthcoming technologies that you should watch that will improve this situation:
TNC - Trusted Network Connect from the Trusted Computing Group (a standards group)
NAC - Network Admission Control from Cisco
NAP - Network Access Protection from Microsoft (which supports TNC)
The basic methodology is to keep the good guys with unhealthy or potentially unhealthy systems locked behind a switch port until they get themselves healthy and/or protected.
How do they do that if they are cut off? Well, they aren't entirely cut off. Systems can get to update site(s) for antivirus, patches, etc.
It isn't quite ready for prime time, and unfortunately will require time for systems to turn over (some level of host support is typical). But once it is available, systems that support it should be healthy before they can receive network traffic from unhealthy legacy systems.
Check it out:
https://www.trustedcomputinggroup.org/home
http://tinyurl.com/5ae2j (microsoft.com)
http://tinyurl.com/78al2 (cisco.com)
It doesn't look like your in a position to get the school to spend any money, so I am not sure if posting about our solution will help. At the college I worked for, we have installed switches from Enterasys that allow per port, per mac, and/or per user policies to be setup at the switch level. We block any port 137-139,445 activity to anything but our intranet server range and dmz. The 137-139,445 is just an example. We block traffic on any port we have found to be used for malicious intent. Aside from that, we have a completely open network. Students are free to play online games as much as they want. We use Enterasys's technology to block malicious traffic patterns at the switch port. One PC cannot infect another. Enterasys's technology applies a stateless firewall per port. It is very impress technology.
We have looked at Perfigo from Cisco. It automates some of the management tasks. We have found it far easier to prevent the problem at the switch port.
We also don't permit p2p apps. We use an IDS to disrupt p2p connection attempts. Between the IDS and the Enterasys switches, we have found them to be what I would call a very *quiet* solution. By quiet I mean that we set it up and forget it. We are not dealing with users everyday because of shutting off there ports. We were doing that, but not anymore.
We are using Enterasys DFEs, but those are probably overkill since they are distribution switches. Enterasys C2s are edge switches that have the same capability.
The one major advantage of the Enterasys DFEs is that they can be setup to limit the number of connections initiated from a port. So if there is a virus that we don't catch with our per port firewall rules, we can turn on the rate limiting and packets will be dropped once they exceed the threshhold. That is a connection setup threshhold. This is typically the pattern that malware follows, trying to setup as many connections as possible to propogate. The Enterasys technologies have saved us ALOT on staff time.
It seems that your major concern is people who get a virus a second or third time.
Getting sick is no one's fault, but no one likes being known as Typhoid Mary. With the chronic offenders, publicize their identity to everyone else on the network (bulletin board, maybe an ad in the campus newspaper).
Of course, announce this policy ahead of time, make it clear and objective what someone has to do to get listed.
Technical tools to help solve a social problem are sometimes neat toys, but don't ignore the social tools to attack the social problem.
Technological Fix For Managerial Issue
MGR: Hey IT. I think this guy is surfing the web for pr0n.
IT: Tell him to stop it.
MGR: What if we use brand X to filter, monitor, report and fire him?
IT: What if you just tell him to stop it?
MGR: Brand Y?
This
The solution is so simple it's mind-boggling.
You know how I quit smoking? I quit buying cigarettes.
Sure, I'd bum them from friends, but after awhile, it got old.
You know how I quit getting viruses? I stopped using Windows.
Sure I had to learn how to get around other OS's, but not only
have I found other OS's to be better, I never got viruses again.
YOU ARE TOO NICE. And you put up with this abuse for free? Even if I was paid for the job, the second or third user I had who behaved so oafishly would have seen their precious porn/MP3 collection smashed to bits under my sledgehammer. And if I'd been fired for it, I would have considered that a blessing.
The Boston U solution.
And the UConn approach.
Can you set up a linux box as router running a pop3 proxy and virus scanner? That's not a total solution, but if you can stop viruses from coming in on pop3, you'll take out a major chunk of them.
here's the setup at my college. it works for us, though some students are somewhat against it. - we mandate all students to install McAfee's ePO Agent onto their computers. this gives the network admins the ability to push mcafee updates (we also offer free McAfee Virus Scan to all the students) onto computers, as well as run Stinger and other tools. last year, we had a ridiculous time dealing with the influx of Blaster and other viruses, so this was a big help. - VLANs were set up to separate the students and better deal with infections. each grade (with approximately 730 students) has two VLANs, with each student being categorized based on their school ID number. we also have the students register their MAC addresses, so we can keep track of them, and block them if they ever bring our network down. just an idea..
- chuck.
This is something that's really sunk in, recently. I spent years doing free technical support above and beyond the call of my job, and that got me moved into the support group, which was great for a while... but I kept ALSO being the guy who can fix things, and spent huge amounts of time fixing things for people that I wasn't actually being paid to fix, and that sucked up home time and work time and all my "fun" coding time. Lots of people think I'm a great guy, but I'm not being anywhere near as effective as I could be at anything but being that great guy.
Today I haven't done anything except on my own schedule. I let someone else find they had their computer plugged into the wrong port, instead of tracking it down for them, and they sounded perfecly happy about that. I feel great.
Put a sniffer on your firewall and take control of infected machines as soon as they come in. Run stinger, patch them and then remove vnc.
We kept a network of 60k 2000/xp machines healthy through welchia/blaster this way.
(I'm too lazy to read thru all the posts - someone prolly posted this already, screw it - REPEAT)...
Yo dog... Setup some ACL's & you'll be good to go.
Filter out your Windows/netBios traffic at the switch, i.e. TCP/UDP 137, 139, etc....
This will stop alot of the Worms dead in there tracks or at least impede there ability to propagate (Sasser, Blaster, etc..).
Blocking traffic destined for your networks Broadcast address will help tremendously as well.
Especially if you're on a large subnet.
Again, Windows boxes are notorious for this shit.
(All this assuming you don't need NetBios on your network.)
Actually, you might as well just setup an access list that limits your traffic to only what's needed (HTTP/HTTP, SSH. etc...).
If you got Cisco switches enable DHCP snooping (to prevent rogue DHCP servers) and Storm-Control.
When you got troublemakers, hunt there MAC out on the switch & put the smack down.
(Cisco hint: show mac-address-table | include xxxx).
Look into scanning the network on a regular basis lookin' for vulnerable systems/potential offenders, plenty free shit to do that (See: Nessus).
You can lock them out before they cause problems & force them to comply.
If you got rogue AP's, thats easy.
Kismet or Netstumble them & pick out the MAC's.
Again, block those at the switch.
Peace.
I agree with blocking ports at the switches. All the users need is email and web access. Open ports 80 443 25 110. This will cut down on tons of worms and trojans propagating.
Jeremy
MCSE MCSA CCNA
http://www.n2networksolutions.com/
Arizona computer consulting
Wait, are you saying that you have a thumb drive with less than 10 megs free space? because I've tried sending large attachments to people and on the various services I use the max I've been able to push through was always under 10megs... In some cases it used to be 2, but now the limit I've found for hotmail, yahoo, and my university net is 10. (note I tested this awhile back)
.exe ... never really stopped me just zip it... then send...
Besides that all... I've seen random prohibitions on sending
Gravity Sucks
It seems that in your area it's not possible to exercise effective control over the individual computers. You might be able to mitigate the damage caused by outbreaks by purchasing some managed switches to replace your dumb switches currently in use. Some switches can cap bandwidth, or disconnnect/throttle ports if they exceed usage limits for a set amount of time. Most of them are smart enough that you can specify the direction that the triggers are placed, so you can tell the switch basically, "if any user on this switch exceeds 100k/sec upstream for 5 seconds, cap their upstream to 10k/sec for the next five minutes." They also usually let you monitor current bandwidth usage, and some provide short term history for bandwidth or violations, either of which makes it fairly easy to spot owned machines. You can always just shut their port off remotely until the owner is so motivated by lack of internet connection that they clean up their machine. It's not a cure, but it can dull the symptoms. (it also cuts down on the foot traffic required by you)
The only major drawback is price. Managed switches can be expensive, and it sounds like you'll need a number of them. Best way to get funding for something like this approved is to throw together a report outlining how many man hours and how much network downtime this will save over say, the next 3 years. When they see the dollar difference and performance paybacks, they'll get out the checkbook. You can also roll it out incrementally, by getting a fast switch that's managed, as your main node, that initially feeds the existing dumb switches at each of the buildings. Watch how fast people fix their machines when they have like 11 other tennants on their back because everyone's internet in the building is down. Then take the noise from the other 11 tennants that's pointed to you and redirect that into a requisition for a managed switch in that building, killing several birds with one stone. By that route you'l eventually get your entire network to managed switches and your problem will be much easier to deal with. Happy managers (no complaining tennants), happy tennants (no downtime), and a few pissed of ppl with owned machines. Justice all-around.
I work for the Department of Redundancy Department.
Agreed! Antivirus software is supposed to plug the "wetware hole" of stupid users who run vulnerable attachments, use unpatched software, etc. In exchange for doing this, it gets in the way of every system process, slows down the machine, and occasionally interferes with legitimate business.
Users who're skillful enough not to need antivirus software are also frequently doing things that it gets in the way of. Let them go without.
The penalty for getting infected should be very simple: Post a notice on the dorm bulletin board that anyone who experienced network slowness around [date/time] should be in the quad on Friday afternoon. Have the offender there, strapped to a bunkbed. Arm the victims with bars of soap wrapped in towels. A few public beatings like this should scare the populace into vigilance, and provide an outlet for those wronged by the remaining careless few.
This is the method used at Texas A&M University, which I attend, for their residence hall network.
We use netsquid, http://netsquid.tamu.edu/, which is essentially some code that ties into snort to provide automatic filtering by mac address and notification.
It works quite well.
It's a caterpillar. n00bs.
I don't know if there's anyway to tell that I checked No Karma, but mod this up. It's embarassing.
I hate grammar Nazi's.
Reading your article, I get the impression that you've tried appealing to both the users and the powers that be without much success. It seems obvious that whatever solution you decide to implement is going to involve a lot of your own time and effort. I suggest you make it worth your while. I don't know what is your particular area of study, but it probably wouldn't be too hard to come up with a way to get some credits for working on this problem. The IT connection is obvious. If you are LA you should be able to work in an angle in psychology, sociology, even some sort of human/technology interface thing for the sciences. Two or three independent study credits might go a long way toward mitigating your frustration. Don't give up if the obvious professors are not responsive - it shouldn't be too hard to find an LA professor delighted to sponsor a program solving a technical problem with a humanistic approach.
As far as method...I suggest you take your lead from the hacker/cracker community. Implement a Social Engineering attack. There are many fine examples of specific techniques to be found in the comments of this thread. I especially like the "scarlet V" approach. I suggest the following:
- "anyone who gets infected is a lamer old school twerp who is so behind the technology curve that they can't even stop high school script kiddies from using them like zombie flesh puppets"
- "allowing your owned machine to infect the local net is dissing everyone in the dorm - especially if you are too clueless to know how to prevent it"
- "you're getting played, you clueless dork, every time you click that stupid 'yes' button it's like bending over and dropping your drawers"
I'm sure you can do a much better job coming up with the proper approach. Just remember that establishing the proper attitude is key - even a few people is a good start. Then public humiliation and shame will work wonders. One advantage of this solution is it will stay with the users after they leave the influence of a network tech fix. Hey, maybe you'll change the world. At least it could help you get a little closer to graduating - and add some stretch to your resume. It might also help you get a little more respect from the powers that be when you slap down your independent study paper with the big, fat 'A' on the cover.
billy - who went to UT - volunteer is NOT a dirty word
Since you said that the infected computers were bringing down your network have you tried VLANing the 'trouble makers' off from the rest of the users? Seems like that would protect others from network floods and allow you to more easily quarenteen and correct the problem.
Just do what they did in my dorms. When a computer starts sending out ping floods, cut the connectivity to said computer's port. Notify the computer's owner and charge them $60 an hour to fix it. They'll learn mighty fast to obey the rules.
Kind of undoes the original premise that he is doing this on an unpaid, volunteer basis now doesn't it? Changing the rules in the middle of the game.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Heres how it works at my university. (I work for the computer deptmartment btw) First, before anyone can connect to the network they must register their MAC with us. This policy goes for both wired and wireless. When a computer starts showing signs of abuse(virus, filesharing, running a switch that is undermining our network, etc...) They are shut off from all off campus network use. They are then rediredted to a page stating that they must call us and we will walk them through the process to get turned back on. We also send a letter stating the same thing. When they call in, we look up their case in our logs and explain the recourse necessary. If it is just a virus problem they must bring their computer to us to have it scanned. We scan it using several different AVs and if they do not have any AV we install Symantec AntiVirus 9(which we provide free to students). If they are turned off for filesharing they are required to attend a bandwidth seminar where we teach about filesharing and why its bad. We also charge for our time in cleaning their machine(usually $26-$52). If its their first offense, they are turned back on 24-48 hours from their computer being cleaned. For the second offense, they are turned off for 4 months rolling over into a fall semester if at the end of spring semester. For the third offense, they are off for life. We do not restrict them from the computer labs however, of which 4 are free to use to students in the residence halls. All in all we have few complaints. People ususally straighten up after the first strike. We are also allowed to refer students to student conduct if they do not comply which is one of the ways we can convince them to stop and be smart.
my college campus found itself in a similar situation. They just dropped all the culprit computers in a "black hole network." The black hole only displayed a single webpage and blocked all other network traffice. That page basically said come get our FREE virus protection and windows updates if you want to ever use internet again. If you were a repeat offender, you must PROVE to someone(admin, help staff, etc) that you have purged and safeguarded your computer to ever use network resources. It has proven to be quite effective.
At my last apartment, one of my roommates got a virus (dunno what it was, all I knew was that when he turned on his computer, the other 2 computers dropped from <100 ping to 5000+), so since the hub for our apartment was in my room, I just unplugged him and told him the virus had disabled his ethernet port.
*Then* when I burned a copy of a free virus scanner and gave it to him, he had 2 choices: install it (while I watched, to make sure he scanned his computer) or the "virus" just kept him disconnected.
Surprisingly, he stayed offline all semester. Oh well...
Kind of undoes the original premise that he is doing this on an unpaid, volunteer basis now doesn't it?
Right. You're absolutely right. Do you get that that's the problem?
Changing the rules in the middle of the game.
That's because the game they're playing with him is "Calvinball".
The grandparent is talking as if he's dealing with kindergarten kids.
I'd be surprised if he could get 10% of his suggestions working.
-Perform Risk Management on the the network
-Develop a recovery plan for virus attacks
-Develop security policies and enforce them
-Use a combined IDS
-Set virus protection to automatically update and have an update server
-Use a vulnerability scanner to check client machines
-Have an update server push updates to Windows Automatic Update on client machines
-Block viral attachments such as *.pif at your gateway
-For spyware and adware, have users install a Trojan scanner such as Trojan Hunter. Spybot and Adware
are NOT enough as their trojan detection capabilities are limited at best. Also, put a shortcut on their desktops
to the Trend Micro Housecall website as Trend Micro is good at detecting adware and spyware trojans
-Shut off unnecessary services including file and printer sharing
-Install personal firewalls on client machines to supplement the network's hardened firewall
-Setup VLANs and MAC filtering to prevent client machines from communicating with other machines on other VLANs
Ditch all your switching gear which isn't cisco. Replace it with stuff that is. Configure "private vlan edge" on all the access ports. Problem solved :P
You literally have to because university kids won't do anything unless they have to do it. The first year when I handled a 6,000 computer university network, we were nice and gave people 24 hours after we knew they were infected to get their act together.
Boy, did I learn my lesson. In the first week, we had over 1,000 infected computers. After that, I did some calculations on how much that incident had cost us and submitted a report with a suggestion to immediately disconnect any infected computer. Guess what...it got approved.
From then on, once your computer was off the network, you weren't getting back on until your computer was cleaned of viruses, had an antivirus program and all the software updates installed.
For the next year, we did a HUGE prevention campaign (an hour of prevention is worth about 10 computers with viruses) and handed out CDs with software updates and antivirus to Resident Assistants.
Since you didn't have a team of 25 techs like I did, I suggest that you start by recruiting some. Get administrators to approve school credit or something like that. There's no way you can stay sane while doing this job without some help.
Don't issue addresses to DHCP clients that are identified as a Microsoft Windows PCs. No IP address, no ping flood!
The second step is enforcing a "zero tolerance i386 policy". No Intel i386 compatible chipsets allowed near your network. If they can't run Microsoft Windows, they can't run Microsoft Windows viruses.
Then you just have the problem of the smart punks assigning a static IP address.
Alternately, get friendly with the network administrator (the guy who "owns" the switch that these PCs are plugged into), and arrange to have virus-laden PCs cut off from the network (as in - turn off the port). Leave a copy of the latest virus definitions file on their doorstep with a note explaining that access to the network will be restored once they've cleaned up their machine.
And sprinkle the document with the usual "Think Different" propaganda. Linux and Mac OS X good! Microsoft Windows bad!
It's similar to the "way too loud music" thing, out in the burbs,, so, like the boys in LA, the first time Junior's PC starts infecting the neightbors, you have a nice friendly chat... and the next time it happens (usually right away, --laughs--) you just walk in, polite as hell, and put nightsticks through the shit. Works great on speakers... just remember not to 'blow it up' LA movie style... you know, blasting the shit out of the monitors instead of the towers.
Print business cards?
You should go for a fully automatic technical solutions.
You can't educate your users and you can't control them. If you were to disconnect their PCs (even if its only temorarely), they'll come after you and give you hell (rightfully).
The best solution is to put each user into an own vlan. 500 vlans are no problems. Then disable the routing between the vlans. Thus, each user can only access the internet and common file server which you may have. No communication between the PCs is possible.
With a bit of traffic shapping on your upstream gateway your network will be just fine.
The school I worked at took a multi-tier approach to the problem:
1) Prevention.
Site license to norton AV downloadable from the webmail website (which every new freshmen must learn at orientation, most students don't even use a normal email client). CD's with SP2 and windows updates at the front desk of each dorm. CD's also with the AV sofware on it just in case. Email filtering of virus attachments on the mail server level. NoCatAuth type login from dorm rooms and public access ports using LDAP password to gain access. This portal page can contain information on the latest viruses, updates, and prevention tips. Each dorm building has a part time student technician who can help with common virus and spyware problems or questions and with network troubleshooting.
2) Damage Control.
All known virus infected computers (somehow) have their network port disabled at the switch immediately. I don't know if this is automatic or if they flag the usage patterns and manually review them. They do the same thing when they recieve a DMCA letter about a user. When this happens the user recieves an email (which can be checked at a lab or roomate's computer) which details what they need to do in order to get reconnected: (a) attend a mandatory virus, security, and copyright infringement course which is held once a week. The student learns how to keep norton AV up to date. How to keep windows updates automaticaly updated, how to enable windows firewall, and how to remove spyware. Also how to avoid downloading illegaly obtained files like mp3's and such. (b) run norton antivirus updater and full system scan (c) if this does not remove the virus take the system to the repair center and pay them to remove it for you (usually format/reload windows).
More damage control: When nasty email viruses start spreading, mail filtering is tweaked to stop it. Emails are sent out to the listserv's on the campus warning users. This generally warns users that there is an especially nasty virus to look out for while using email and probably helps some.
3) User Education.
Students are told to update their windows before connecting their network cable to the wall. The CD's are available at the front desk to be checked out. Above I explained about the first strike where the user's network port is disabled and the user must attend a class to be reconnected. There is also critical informative updates displayed on the authentication portal for network access, webmail, and through email when there especially bad viruses loose around campus. Everyone who has been on campus for more than a year has lived through the hell of it. It is the freshmen you have to educate the most.
I hope this was informative to your cause.
If you can't access the switches or the router/firewall, abuse the DHCP-server.
Use IDS-system to pick the offenders, and update the DHCP server to give them non-routable addresses (like 192.168.0.1). Then all they cause is some desperate ARP-requests or plain broadcasts (unless you put netmask 255.255.255.255, or something).
There's nothing that can be done about the "I don't care" attitude though. If they buy new network cards (with new MAC addresses), just block 'em all. Or if they change their MAC address manually. If the buy-new-compu is their default solution, start selling computers and allow DHCP to give IPs only to those MAC addresses that are on then network cards you sold.
The solution we use here is either "pull the plug via managed switches" or "find out where they live kick the door down and beat the crap out of them with a hammer."
This is what I do. Having to buy and maintain anti-virus software and a global mac address database is putting a large chunk of the burden right back on the admin.
What you do is, create a caching proxy, force students to use this proxy with their university id and password, and show them a warning the first time they do. If they cause trouble, they are going to have slow bandwidth. If they don't want to cause trouble, they should know that there WILL be worms on the network and they WILL need some sort of Firewall -- or Linux.
This way, you install one generic automatic filter, once, and let the problem take care of itself.
Don't thank God, thank a doctor!
When I was a freshman my friend had a 386 with a 2400 baud modem; he had the fastest internet connection I knew of. It took 4 minutes to download one crappy gif. My friend kept his pRon collection on floppy disks. And yet somehow we managed to get our schoolwork done.
From my perspective it seems like students who can't even take a few basic measures to respect others on their free broadband internet connection get exactly what they deserve.
www.forbes.com/forbes/2004/1101/064_print.html for an article on a super router. It kicks off offending machines.
Well that'll fix it...their system will be so fucked-up by their shitty AV bloatmonster that they'll never bother anybody else ever again.
When you notice someone is infected, drop them off the network.
When they complain, tell them that they need to fix their computer before they can get online again. Say they can acquire the tools online for free from any internet enabled computer, or they can pay the $5 and you can make them a bootable linux CD + F-Prot Linux (do it once, upgrade as necessary).
After they have run the software, they call you, you turn them on.
If they are infected again, you drop them again.
Alternatively, you can shutdown the university network, and allow DSL and cablemodem companies to service the users. If they want professional service, they can pay a professional; people in the real world do.
If you only have a problem with viruses, you can get a firewall with 'VirusWall' technology. A small NetScreen 5GT with TrendMicro's virus detection could be all that you need. Then only YOU must keep it up to date, and it can do that automatically. It might however miss certain things, or cause a couple wanky issues here an there, but it should reduce your numbers a heck of a lot. Also, RFC1918 is your friend. Use it, love it, NAT/PAT it to a public address. Most firewalls have protocol inspection for all popular applications, and most applications have workarounds for firewalls without protocol inspection.
you might suggest they all install Service Pack UNIX. This will fix the problem quite nicely.
UNIX: A set of Linux-like operating systems that grew out of an original version written by some guys at a phone company
Identify all the problem users and restrict them collectively to 1Mb of shared bandwidth.
Or you could do what my school does, if you identify them in time shut off their connection and notify them via snail-mail/phone why their connection was shut off, what steps they need to take to rectify it and how they can contact you so you can verify they fixed the problem.
Chicken fried butter sticks? Do
One thing that occurs to me is that, if one of these lusers start pingflooding the lan, you can just isolate it to their network connection, and given the appropriate tools, limit their bandwidth to...oh, say, 50 bytes per second. See, even if the virus encourages them to get faster and faster computers, they still won't get a faster network connection than a few bytes per second if they get infected. It's good for the merchants, it's good for the LAN, and it's good because after a while the luser will ask, and you can tell them why it was crimped, and you won't uncrimp it until the AV and spyware software is placed.
This sig no verb.
When they get a worm and refuse to correct the problem, make their continued switch access contingent on an essay that details what they can do to prevent the specific worm from hitting them in the future, and what general steps they can take to protect themselves and others on the network. If they can't show an understanding of the problem, they are refused access until they study up on it.
then start giving people their own small subnet, and block traffic between subnets. Voila, you have prevented much of the spreadign. Then they need a server to exchange virus.
There are many insightful answers below but I feel most of them are saying how they can protect a network which is already clean. But in your situation this is not the case; you need to make all the students clean up their own trash.
What I suggest is this:
1) If you already have a proxy server, move on to step 3)
2) Send out flyers stating that in X weeks the network will no longer accept direct web connections to the internet. Instead they need to connect through a proxy server. Include information how to configure their web browsers.
3) On Day 1 of using the proxy, force every student to log on and fill out some identifying information and download a virus scanner / cleaner. When they have an electronic evidence that the computer is clean (I'm sure some programs offer this) they will be issued a username/password combo for later logins.
A simple setup will not fix problems viruses spreading through other means (mail, ftp, etc.) and may be easy to bypass for the computer savvy, but most likely the computer savvy people already know how to protect themselves.
I would say have the place your volunteering at purchase an oem version of antivirus software (personally I prefer Symantec, but anything except McAfee is alright), and give it out to all your users free of charge. Write a login script for your server that will check to make sure each computer that connects has antivirus installed and if it doesn't automatically disconnects them. Problem solved. Of course writing such a script might pose something of a problem, but think creatively and I'm sure you can figure out a way to do it. Other solutions: force your users to login to access web services (the vast majority won't have enough knowledge to get around it, particularly if you secure it well, although you will have a percentage that is consistently able to bypass it; although these are the people you probably have to worry the least about accidentally getting a virus from), and make sure that only computers that have been personally verified to have antivirus are given accounts to login with. This will probably take an enormous amount of time to do. I'd suggest setting up a helpdesk and having users bring their laptops in for verification and arranging appointments for desktops (think positive, this could be a great way to meet women!). Once you get over the hump of existing users you'll have plenty of time, and you'll only have to deal with the occassional new user (hopefully). Lastly, I'd like to say volunteering on the basis of being anything more than a simple computer fix-it guy is BAD idea. On a small network, let's say 10 to 50 computers, network admining isn't terribly time consuming. 500 computers is a lot different. That is not a small network. For a network of that size admining is a full time job, and you should be willing to spend as much time as needed on it, if you're going to be the sysadmin, (in which case they also need to hire you and pay you cash for it), or you need to bite the bullet and tell them to get someone else. You're getting ripped off here pal, they're screwing you over for services they're not paying you for, you're screwing them over for having a life and not treating the network like a full time job, and the tenants are getting screwed because they're using an unsecure network, because you don't have enough time to properly secure it. I'll say it bluntly: get paid for it, or get out. That's my advice.
I have been working on a similar network for some time, and dealt with similar problems. I don't know if these are optimal solutions, but here is how we are doing it:
/ONLY/ connect to the DNS server and the HTTP/HTTPS proxy server. This server provides the user with a message about the computer being infected, links to several sites with patches, free AV and updates. And a note that they will have to contact an administrator to get access renewed. The user can continue browsing freely, but don't do anything else. If they want to get back to the usual network they have to clean up their computer.
First of all, we have build a simple management system based around SNMPv3. You want this. Take a course in enterprise management or read up on it yourself. The day you stop writing scripts and use a management system instead is the day when you begin to come out on top of the problem. OpenWBEM can be a start if you want to know what can be done.
Here is our setup:
Incoming connections are blocked. There has been a discussion about removing this block and allowing "safe" ports. At the moment the issue is rather pointless as we are behind a NAT due to lack of IP space. Outgoing connections to DNS, SMTP and HTTP/HTTPS are filtered to force people to use our servers. Some of the more notorious p2p protocols are capped to keep the bandwidth usage from going insane.
We have a central register of users. To use the network you have to register and pay a symbolic sum each month. Then you get access to the connection in your room. You are responsible for what happens from your connection. This register gives us an easy way to contact users. To be allowed to join the network you have to sign a paper stating what you are allowed to do and not do. Our TOS are pretty restrictive, but without them we wouldn't be able to manage the net.
After some network outages (Code Red...) we have implemented a quarantine VPN. We have several IDS spread out, and if they detect a computer spreading malware they move the computer to the quarantine VPN. On this VPN the computer can
We also have several special checks for "evilness", most important rouge DHCP servers and ARP spoofing. Anybody caught by these simply get their connection pulled until they have explained themselves. Administrators are notoriously slow when it comes to returning connection to people knowingly doing malicious things on the network.
You know, I should really be used to the jaded tech-support answers of Slashdot, but this is a case where it's just not useful.
.exe virus whose only purpose is to send you an email from the inbox of the idiotic inbox-owner who executed a random exe he/she found in her email.
OF COURSE the guy has already thought of simply disconnecting or banning virus spreaders IF he has the power to do so. So why not try to put the repulsive amount of intellect here at Slashdot to use and try to find a realistic and different solution?
Couple things must be stated already. This guy VOLUNTEERED for the job. This means that this guy is more likely than not kind-hearted enough to NOT want to cut a student/many students off from their main form of communication/entertainment/research.
Knowing THIS, what are some solutions?
I have a personal idea that can HELP REDUCE the severity of the problem:
1)Create a website with:
A)A link-list with the most common offending viruses being tracked on the network. Have each link refer directly to the symantec/mcafee per-virus fix tools.
B)A very LARGE link to the free online virus scan HouseCall by Trend Micro. Include instructions under the link how to use the virus scan. Make the instructions FOOL PROOF (better fool comments aside).
C)Standard temp file removal instructions (again, FOOLPROOF) for all Windows OSs from 98-XP including Documents and Settings\NAME\Recent & Documents and Settings\NAME\Local Settings etc. You know the drill if you've ever cleaned a computer.
D)A list of the common virus processes so that those with Task Manager OSs can kill those processes.
E)A Standard disclaimer like "you really need a full software virus protector blah blah blah... Anything you do is at your own risk blah blah blah"
2) Require this webpage as a homepage.
3) Require that the people on the network go through the the scan, etc. or THEN risk being disconnected from the network for a time that you see as fit and reasonable.
4) One week after this is implemented disemenate a simple and obvious
As I stated earlier, this is not an end-all solution. But it is a contructive beginning of an idea. And dear Slashdot, try to remember what it was like to be tech illiterate (old fogey coders forgiven). Some people just don't "get it" yet. You don't teach your kids/dogs to behave by punching them, do you?
Qos can be used for setting NBAR policies for worm identification and policing
7 1/ns128/networking_solutions_white_paper09186a0080 1e120c.shtml
http://www.cisco.com/en/US/netsol/ns340/ns394/ns1
It's not impossible, but it is the most difficult problem to solve. If you're serious about it, you need to work with the people that do have control over the network infrastructure - it's the only way to solve the problem. You need managed switches that are vlan capable and network registration via mac address. Period. You need 2 private vlans, web server, dhcp server and a dns server in the 2 private vlans. When someone jacks in to network, their switch is read, and mac address is compared to registered macs. If they're unregistered, their switchport gets put in a private vlan. There, they're presented with a page saying you need to run win update, install virus protection, etc. Once they've installed updates and vp, their vlan is popped back into the regular network. Have a box nessus scanning for missing windows patches. If it detects someone, pop them into your second quarantine vlan, where they have to nessus scan clean to get out. It's a lot, but it's fully automatable. I've got a solution like that working for 3000 users, and not ONE virus outbreak this year. Turning of jacks, yelling at users, thinking they'll "get it" is Sisyphus' job. After you have some control, fire up a dark-net and snort it. It's not easy, but it's great when it's finally done.
what they did at my uni:
Sniff constantly for vulnourable unprotected computers.
When one is found, send them a mail informing them of the siteuation and that the should fix it imediately.
Then shut down their connection.
Most of the time they don't get this mail before they lose the connection, but then they come whining to the sysop, who also got a copy of it.
Give them a cd with the needed software and once they have installed and fixed the problem, reactivate them.
Students can go a long way to get their connection back.
I have seen people digging out their old modems after a few hours when the entire network crashed.
could also say:
Going to war for no good reason is like going deer hunting.
(No, I'm not french.)
An easy solution, IMO, would be to have two switches/hubs - one 100mbit switch that everyone starts on, and then a 10mbit hub for the people who's computer's are being a problem. When someone has a computer that's doing a flood ping or whatever, migrate them over to the 10mbit hub, and let them stay there. That'll limit the bandwith they can take from everyone else, and will be really cheap to implement.
How to determine the height of a building with a barometer. Sell the barometer. Buy equipment suitable for measuring the height of a building.
You're trying to solve the problem with the tools you have. This is not adequate. You need better tools. Talk to other people who run networks. Decide what you need to be able to do your job. Explain the problem to the higher ups. Ask for the right to do certain things to protect the network.
I have a realtively small network here, with a Linux server and a couple of clients which become infected by a worm/virus from time to time. First, you have do differentiate between a virus and a worm: 1) Virus - This is basically easy. Most viruses have a built-in SMTP Engine, which means simply that they replicate over SMTP and therefore contact various SMTP-Servers (port 25). Normally, they do not use the ISP's SMTP-Server configured in outlook. Therefore I just blocked outgoing connections on destination port 25 which blocks the replication of the virus. Whenever someone is infected, I see this in the firewall logs. Then I can inform him but I basically don't bother as he does no harm to my network. 2) Worm: This is not so easy as the worm tries to replicate on your local network. The only solution to this is to block certain outgoing ports for known attacks and - which is more important - configure a VPN where clients may only communicate to your server but must not interact. On the other hand this is a huge limitation but there may be ways to allow certain connections (e.g. fileshareing etc.) or also block specific attacks. But this requires a switch that is aware of VPN etc. My advice: Don't fight it, live with it.
IPs connected to MAC addresses, connected to the names of the users.
Next time there's a network flood, put a sign with the name of the computer owner on the notice board, with a note saying that's who the students have to thank for the current outrage.
Let the problem fix itself.
---- Take the Space Quiz!
1. Educate them on the recent nopir.b virus, that'll put the ***** up any student.
2. Educate them on Eset Nod32 antivirus, it's written in assembler and doesn't slow up your machine, fill it with bloat, it monitors internet traffic, and I've never yet seen it hang, unlike all other well known, free or comercial, AV apps.
The new 2.5 beta's also checks for spyware I've read.
And it's cheep too.
(sorry to sound like an add but I've been working in IT for 10 years I've always actively hated having to run AV apps, and seen them as a necessary *EVIL* till now)
2. try to get the university to buy a license, or have an initial connection & checkup fee that just covers the AV cost maybe?
3. as many others have said allready you need an agreement they sign before connecting, to run AV (nod!) and keep system clean or accept that you can be disconnected without notice as you are the cancer preventing the productiveness of the other students.
The document must contain non windows clauses for suitable settups for *nix/mac.
Use something like Enterasys intelligent switches. Let them auth using 802.1X. Then setup rules that detect malicious behaviour (use packet rates, ping sweeps etc to detect). When this behavoir is detected the switch will drop their port into a quarrantine state.
2. someone write a virus killer that spreads using the virus techniques, DUH!!!
;)
3. firewall em, and ONLY let them look at help.local.net which will clean them, or if its girl, trade um.. u know what for instant fix.
4. have a wall of shame in the hall way showing how has the highest viruss installed.
Liberty freedom are no1, not dicks in suits.
you're expecting art,music, and philosophy majors to be as computer literate as you.
what about new viruses that infect machines before security vendors create av defs to combat them? or before the monthly MS patch release?
so, even users w/current av and win updates can have their machines infected.
more importantly, many attacks are designed to provide back door access and once the trojan does its dirty work, simply removing the malicous file isn't going to improve traffic flow across your network.
for instance, a virus infects your computer before norton creates definitions for it. an irc bot gets installed on your computer and your i.p. is now a hot target for d/l movies, dvds, credit card #'s, etc.
a few days later, norton releases new defs for that virus. ok, even if your av quarantines or deletes the infected file, you have to know how to search for irc bots or keyloggers.
av doesn't touch irc clients, http, or ftp and those ports are generally open even on firewalled machines.
so, you're still going to have tons of traffic to the "now cleaned" machine.
the kid's machine got infected. you booted him. he "cleaned" the computer. once you verify that av and win updates are current, you restore access.
how have you reduced your flows? you haven't. and there's no way you're ever going to teach kids who just want to d/l music and porn, play games, surf the web, and leave witty away msgs for their friends to be amazed at how to do all that.
there are answers, many of them complicated, but yours, my friend, is no solution.
so, don't be so hard on the guy. he's asking for help not sarcasm. ok?
Assuming network access requires agreement to a TOS, lobby to make virus protection a requirement of the TOS.
I'd also recommend lobbying to have the organization purchase a site license for a popular AV product.
Any violations should be treated with a port being downed. When the person complains, hand them the CD (or install it for them, or hand them a CD-based scanner that you burn with the latest definitions and performs a full scan as an "autorun.inf" activation). Up their port after they sign a form attesting that they have taken steps to alleviate the problem.
If they're still infected when you turn up the port, down it again.
Sometimes the solution is a policy one and not a technical one.
Maybe it's a dumb answer, but inviting the others to switch to Macs would resolve all virus issues and relieve you of a lot of work!
Regards,
Bart Scholten
Long Time Apple user, no virus scanner, no firewall on, no problems!
Typically this type of comment comes from linux users. I am sorry, but as long as software is piratable (I am not condoning, just stating the facts), you are not going to get people off Windows. They can simply find too many apps for free.
Religion and politics, without the flame. godgab.org
The Mark of the Beast... sn: 666
Religion and politics, without the flame. godgab.org
My suggestion would be to let all the other users in the dorm who is the cause of the problem and explain to them that the reason they cant download their pr0n is because of this user. Sit back and wait for the screams to die down. Then go and have a word with the offending user (if they are still alive).
If a virus struck before our scheme it was like a World war I battlefield and the phone was ringing around the clock.
So, you ask what our idea was ? We've 'eliminated' the peer-to-peer aspect. the debian routers is now a PPPoE dail-in server. And instead of all the clients having tcp/ip installed to their network cards they have it installed on a PPPoE dail-out adapter.
This provides us with the possibility to limit a users acces to its peers when it is infected. In fact, if a computer is infected, it still has internet access, be it limited. If the infection persists they get locked-out, but only after so many warnings.
We've been happy with the setup for a year now. It's an difficult way ... but it's cheap wich is more important in eductation these day anyway.
An added value is the os ondependance, much other alternatives have specific os needs. There are ppp adapters for every os i've coma across (I wonder if DOS has one !? )
Fire the sys admin for starters.
They should have already identified the main causes of the ongoing problems and should have made recommendations for corrective and preventative actions.
Hi,
:)
Here is how we deal with this issue on our 225,000 user unmanaged MAN (we are a large urban K12):
We use all managed switches, an IDS lets us know when a PC starts acting up (at least if it's a virus that produces traffic, which seems to be the norm these days) we use Nessus to scan the host, which is usually not running any personal firewall, see if we can contact the person directly (name or room number in the netbios table) and if that fails, shut off their port in the switch that serves that part of their building. In extreme cases we have turned off entire rooms, floors, and even a whole 3000 student highschool at one point. This tends to get people (read: the LAN folks and the users) to understand that they are actually on a network with other people.
You might want to play with hogwash http://hogwash.sourceforge.net/oldindex.html (I have not personally used this, we have a similar (commercial) device that does this kind of thing) and see if that will help you drop some of the outbound traffic/identify infected hosts. Of course regular snort can be configured to modify iptables so you can automatically deny infected hosts net access.
We are at present 4 months away from having managed office systems (insha'Allah) and 4 years from seeing them out in the schools. It's going to be a long, tough, fight... Gee, thanks, Mr. Gates.
peace,
jcw
PS: eeye has a bunch of free scanners for windows machines, and there is ample documentation on IDS and scanning solutions "out there". I find that knowing your current level of risk and where your problem users are (i.e. where things are likley to start) makes work a heck of a alot less stressful.
I have not had time to read every post, so I apologize if this has been mentioned before. I think putting up a gateway server based on Linux would be very helpful. A product like ClarkConnect (http://www.clarkconnect.com/info/) would serve well in that situation. This is the solution I have used. A quote from their website: "The award-winning Linux-based solution includes firewall and security tools, along with file, print, web, e-mail, proxy, antivirus, antispam, content filtering, VPN servers and more. A detailed feature list is shown in the sidebar below." You could also use something like SmoothWall (http://www.smoothwall.org/) as a gateway as well. By setting up a true firewall you can limit the outbound as well as the inbound ports. This will not eliminate the problem but reduce it to a great extent. Further services like anispam and antiviri will bring the number of issues down considerably. The downside to this is the the computer will have to be somewhat beefy. For 500 users look at 3.4Ghz with 2+GB ram and a few nic cards. I know there is no $ for this project, but that is just not reasonable. Getting the money for this would be VERY easy. Say the cost was $10K this would only be $20 per person (500 users). This could be charged as a one time fee or spread over a monthly payment (barring the school would front the $). You could also start this by charging users a fine for not following documented procedures for using the network. Uncontrolled Virus: $50 fine. Allowing your machine to be a Zombie Server: $150 Etc etc etc.. You would have the money in no time! Good luck with this, it may seem impossible now, but it is really not that hard to fix.
I would propose a 1-week Quarantine, where any computer found spreading a virus is removed from the network to allow the owner to clean it, and more importantly, to have a time out to think about the consequences to his peers of his lack of responsiblity.
Sure people will bitch and complain when it happens to them, but that's how you know that it's an effective deterent. To be a deterent, a punishment has to be unpleasant, and the people have to know that it will be enforced consistently. When a person learns that everytime his computer gets infected with a self-spreading virus, he goes without e-mail, chat room, and divx downloads for a week, things will change.
Make sure to loudly announce this change in policy beforehand. Suggest good anti-virus and firewall software, preferably free and/or site-licensed to remove any genuine impediment to people installing and using it. This may be a bit of a nightmare to enforce the first time, with say half your network infected. But the second time around, you will have fewer affected machines. And even fewer the third time.
Sometimes in a shared environment, peer pressure might work. When the network is brought down. Fix the problem and notify everyone in the complex -- (I'm not sure if its legal of course.)
"Sorry about the network outage today-- Davey Jones brought down the network via a ping flood. If you have any question about what happened please see Davey in apt 23B."
really, you do have to force people to keep their systems clean otherwise the network is unusable to everyone. one solution we have come to at a major university is to block the connections of any computers detected to have a virus that is creating undue network traffic. all of their http requests are pointed to a special web page explaining the problem and the steps to correct it (of course we offer assistance). when you have that many computers on a network, you really have to strong-arm users some times in the interest of keeping the network safe and clean (and usalble)
I work with exactly the same situation, helping maintain a halls of residence network where machines are owned by the students. We have a the following setup which seems to work pretty well:
:p)
:-)
1. the switches drop any traffic between machines in the network to stop malicious traffic propagating, (except to the server obviously
2. all students data quantities are monitored so if a student is using a large amount of bandwidth consistently over a number of days an enquiry is made into whether the student is aware that they are sending/recieving a lot of data. If they were only downloading linux distros or something thats fine, however if they were only checking email then they machines connection is blocked until a virus scan is complete and the machine is fixed.
3. Regarding security, a CD and infosheet is handed to users on arrival to the halls with a slip they have to sign saying that if their machine is found to be sending viruses/spam etc then it will be disconnected from the network until it is fixed (by them). The CD contains Spybot/Adaware and AVG antivirus for those who don't have antivirus software.
4. Ports access is heavily restricted, no p2p traffic for example. (I'm from the UK and the laws that were explained to me are that if a company/organisation runs a network which is engaging in illegal activity then the company is just as liable for copywrite theft as the users are, as they are responsible for their network and must take "reasonable" actions to prevent it)
As a warning you will get a lot of flak from students for "restricting the access that they paid for!" even though in the actual halls contract that they sign is states that "internet access is provided for academic use only".
While this seems a little harsh if people really wanted to do LAN gaming for example they can always set up a separate network to do so.
Hope that helps
Sam
Warning, comments may not have been passed by the sanity department of my brain.
500 is a lot to support. It'd be wonderful if they could even throw you $1/month each. I DON'T think that's too much to ask and it's a way of showing that they appreciate what you're trying to do.. Ungrateful bastards.
As far as virus protection, I think you're in a tough spot. Unless you can implement some of the filtering or DHCP rules and setup a web server with a 24 hour "You're Infected" page, your only option is voluntary participation..
1. Advertise discount virus software. McAfee's Managed VirusScan (formerly called ASaP) is a very easy-to-manage virus service. It's idiot proof on the desktop end, and you see all of the reports of infections each week. Additionally, you can use the admin page as your e-mail list as each terminal will be registered under the primary user's address.
I don't even know how low pricing goes in bulk, but around here it's under $45/seat for 2 years in the 2-25 seat range.
2. Start cataloging users by IP address and post their picture in a public area when their infection disrupts the network. Include embarassing captions referencing their intelligence, excessive viewing of pr0n, and general idiocy.
I'm sure there are other ideas in this neighborhood. My point is, use the community to pressure the infected to become the healed! And OFFER all of them the tools to let you watch their backs so they can resume their lives.
If they whine about moving and not using the 2 years, get them a pro-rated refund when they move and re-use the license on the new tenant.
Best of luck!
Someone gets infected, disconnect them until they are clean. Second offense, disconnect them, and they only get reconnected via a filter box, which they pay rent on, say, $50 a month with a minimum of 3 months.
Alternatively, at the second infection, require them to pay a pro to clean their system and update their scanning software, since they've proven they can't do it themselves. They don't get reconnected until they can show a receipt from an approved vendor.
I have a linux distribution for routers called Route Hat, http://www.routehat.org/, which has lots of features in this area. It is also used by several dormitory networks, largest one about 1400 computers. It is optimised for high performance and is 100% open source (the stuff I personally coded is 100% GPL unless the original package didn't permit it).
Features for (well, AGAINST actually) virii:
It has tons of other features as well (limiting internet access to IP/MAC and coordinating this via DHCP, web interface, ip accounting, can run from small media like USB sticks, easy installation and configuration, ...). The only drawback at the moment is lack of documentation, but now at least I have a http://docs.routehat.org/doku.php?id=rh:howto Install NANO-Howto.
I also have a not yet released program for checking ARP-Floodings (for detecting infected computers).
All features are optional and some (arpflood, vulncheck.pl) are usable also if not used on a router.
I also provide commercial support and stuff.
Yours sincerely,
shurdeek
It appears that you have a social issue (don't care) and not a technical/education issue (can't figure out how to get/install/update the antivirus). Most technical answers really do not work in that environment.
...), or use peer pressure. It appears from your comments you have tried education and have difficultly with banishment, so you have to try other social fixes. How about a PUBLIC weekly/monthly list of the top ten lusers causing a slow/bad network environment. You hog bandwidth (virus, spam, trojans, excessive bittorrent,...) or cause your neighbors pain (virus, hacking, ...) you make the list. You want off the list, fix the issue and have it stay fixed for a week/month.
The best technical response to the social issue is usually REALLY an attempt at a social response. I'll talk to you (education), disconnect you (isolation, banishment,
Note: this can create a different issue, those interested in 15 minutes of fame regardless of cost. Without a plan to handle that occurance (banishment is the usual), you risk trading the current issue for a different issue.
An additional technical mechnism is to install a bandwidth management mechanism. If you make the list you get your allowed bandwidth reduced by X% for each week/time you are on the list. Screw up lose 20% of the allowed bandwidth, don't fix it, lose another 20%. After about a month of being on the list, you are down to zero. You stay at zero until the issue is fixed, and then move to say 60% until it stays fixed for X period of time (or it gets reduced again). This is somewhat of a progressive banishment solution which may or may not work in your environment.
Bottomline, you need to pass on the pain to the people that deserve it. Technical solutions do not do that, social ones do. The only technical response to your problem is to find a technical mechnism to enforce a social solution.
And then everybody take turns beating the snot out of these repeat offenders and their computers. I also like the idea of outing them to the rest of the community and let the chips fall where they may.
I wouldn't sweat the infected computers too much. Sniff 'em out and shut down their net ports. Meanwhile Tarpit 'em. Go to bed happy.
Actually, I have looked at the security rating for both of them based on government sources. Turns out Linux is just as easy to crack. The thing that bugged me the most was that even thou windows had more issues, 80% of them could be firewalled out. Linux on the other hand...
Later, when we finally got away from doing government work *shudder*, we started working for a medical software company. Holy hackers batman, you want to know how easy to crack Linux is? Set up a server in Windows with the latest patches, get a really good firewall and set up a fake page for some medical software. Set IIS to say it's apache running on Linux. Make up a bunch of cards with the url on it and pass it out to all the software venders at a large medical software show. Later that night check the logs and see what fun comes down.
In my experience the only os that's secure is the one that doesn't have a tcp/ip stack, disk drive or cpu. Never say something is secure because you happen to know how to install a toy language on an insecure web server. Anybody who uses php is automatically disqualified from ever making any statement about security, ever. You might as well install asp 2.0 on an unpatched Windows XP box.
Linux is really boring from an os standpoint. Now Plan 9......
No one forces them to use the campus network. They are more than welcome to pay for their own connection to the Internet.
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
But they will still have local access to the machiness. Local access = root access.
Besides would you accept not to have the root password to your own machine? I must certainly would not (note my machine not the schools/companys)
Freedom or George Bush
Force the ports two 10Mbps. Most switches have the capability to change speed on a port by port basis. The students don't really need the faster LAN access. And if anyone complains then just switch that individual user back to 100mbps. It doesn't permanently solve your problems but it'll work.
Fast Federal Court and I.T.C. updates
You should look at these guys: http://www.miragenetworks.com/
They have an appliance that can detect viruses & restrict the infected computer from the net, without requiring an in-line IDS.
They might be out of the budget for your dorm, but you should talk the university into buying one.
When some stupid moron gets a virus use your shiny new baseball bat to beat the crap out of them.
They'll soon learn, through a process known as "morphic resonance".
Sigs. We don't need no steenking sigs.
Shoot the end users.
Another option.. if you control DHCP you control the default route to the internet your clients use. You can setup a Linux box on a static IP and change the gateway IP of anyone (based on MAC address) to that Linux box. The Linux box should forward the packets along to the actual internet gateway. Once traffic is passing thru your machine you can do many things. (Maybe some transparent proxying tied to a virus scanner? Snort with a route to nowhere action? Lots of options once you control the egress point.
Your subscribers can always override DHCP and enter the correct default gateway but this takes a little know-how and is beyond most lusers.
Redirecting traffic this way has some negative effects on the network (lots of ICMP Redirect Traffic)...it might help to NAT the connections or only route the really offensive users thru this method.
does any one know how to use mdcrack and if you do can you tell me how to crack hashes
Sustainability and energy independence essay
So in addition...
I was not confused, I was simply pointing out that until they introduce "-1 I don't agree", the choice between moderation and responce is a no-brainer and as you so elequently point out, I was fully aware that you responded.
And guess what...
'Repost' should have been 'riposte', A spelling mistake - boy do I feel stupid. As for moderation being a responce to 'insensible' suggestions, A) Insensible is not the word you mean, and B) I suggest you read the moderation guidelines again.
And guess what else...
You are correct, I did not mean physical network. I incorrectly assumed the article poster had software access to the switches, where he could have accomplished what I suggested with, yes, "a script". Additionally, if you read any of my original post as 'Jargon', sorry but I prefer to use 1 word instead of 5, and as for the company on the moon, sorry, two companies is enough for me.
Beside all that, I suggest in future you avoid posting when angry, as you've come off as a bit of an idiot responding Ad hominem abusive to a rather inoffensive suggestion, you should go back to randomly spitting in the street, as the thug persona befits you.
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
Get a cheap box you can use as a firewall / proxy server. Change the DHCP setup to point the default gateway to that box. Put a virus scanner on that box (Squid + DansGuardian + ClamAV works nicely) to scan all incoming / outgoing files via FTP/HTTP. Add in a Postfix install using Amavisd-new + SpamAssassin + ClamAV, and you can intercept all incoming / outgoing SMTP as well.
Voila! You have taken control of the network, and moved the virus scanning off the individual desktops.
This is a similar setup to what we use in the local secondary schools.
That's easy - just replace the middle of the car, from the dash through the trunk, with a big rocket. Then make sure you're driving by remote control in case it blows up.
Seriously, though, I had a friend with a Ford Fiesta (or something like that...) that I'm confident would've made 200. Of course, it wasn't really a stock engine anymore. He might've just replaced it outright with something from a bigger car - then he had some kind of custom turbocharger and enhanced timing. I think he said it got to develop like 300 hp or some madness like that. And it was a tiny car...
Whereas I just got rid of my first car and it had a top speed of 92mph on a level road with a tailwind.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot