Handling Viruses in an Uncontrolled Network?

An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats. We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?" "Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).

I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."

DHCP server is all you need.

[strredwolf]

Just reconfigure the guys that keep spewing to ether deny access, or return that the computer's IP address is 127.0.0.1.

When they come in complaining, babysit them at their computer.

Sure it's an option

[CarrionBird]

by clogging the network, they prevent other people from doing thier work. It's standard procedure at some universities to shut off the ports of problem systems.

Re:Sure it's an option

[David+Horn]

I work as a "student advisor" at Leeds University and every student is issued with a free license to McAfee Virusscan Enterprise.

When connecting for the first time, they have to enter their university username and password so the IP address can be tied to their MAC address and the computer logged.

If their software detects viral traffic from their PC, they're automatically cut off from the net and a webpage comes up explaining why. They don't get re-connected until myself (or one of my colleagues) verifies they have virus scanning software installed and their PC is clean.

First few weeks of term there were a lot of people cut off, but virus infections now are next to nothing because everyone has the software running.

Apart from this, the internet connection here is extremely good. Fast and reliable, and no port blocking.

Egress filtering

[MoogMan]

The idea is simple: Egress filtering.

Strict policies on outgoing traffic for untrusted networks is essential.

I would suggest a default policy of something like www, ssh, msn/aim im, p2p programs (possibly, depending on the uni's rules and regulations).

Providing you have a mechanism for giving the students access to other ports when necessary, then there should be no problem enforcing a strict egress policy.

NetReg

[DA-MAN]

I also don't have any control over the network infrastructure itself, just over our DHCP server.

With this you have all you need to run a NetReg server within your infrastructure. With this you can allow users to register their machines automatically. Any user with a virus or other such malware gets their dhcp entry deleted, and they are on a private network that goes to where you define. I would allow antivirus sites, antispyware sites, and windowsupdate only (or better yet, a local mirror).

Have them send an e-mail to user@host once this is complete and you can re-activate their lease.

Re:NetReg

[vco123]

1. With DHCP and Netreg, you do control the network. Keep your registered leases short ( 2 hrs ).
2. Be sure to disable external DNS calls at the router ACL, to force people to use Netreg.
3. Run 2 instances of BIND with Netreg and selective DNS forwarding to allow Windows Updates, LiveUpdate, IT Support and Spyware. ( see Netreg-l from last August).
4. Bump infected computers out of registration, so that they can't phone home as easily. Alternatively, use groups with ISC DHCP to force an infected MAC to use the Netreg bogus DNS to "quarantine" them.
5. If you can, ask the network dudes to disable 25,135,445/tcp for your unregistered IP ranges. That'll limit the infected PC a bit.
6. If you start to see a virus frenzy, shut ports off fast. It'll save time later.

I've run a 4000 computer RezNet this way for 4 years.
As to infected computers, I'm working on a Netreg extension that includes a "Your're infected" group. It's like being unregistered, but DNS forwards to a virus notification page.

Block MS ports

[rdejean]

Students in our dorms have no need for Microsoft ports, which is the primary reason worms can take down the network. So i block port 137,138,139,445 at the switch port level.

Granted this doesn't solve the virus problem on the computer, but it sure does prevent it from taking down the rest of the network.

Re:You are in control!

[courcoul]

Amen to that! Or, it just may be that his post is only the ceremonial position of "official scapegoat" that takes the fall when the poop really hits the propeller blades... Short recipe for the cure (provided he IS the admin):

• Get an extra PC on the backbone of the network, so it can monitor all the traffic. Anything bigger than a x486 is good enough, say with 128MB or more of RAM.
• Install OpenBSD ( http://www.openbsd.org/ ) on it (most hardened free OS around, so the hackers can't take you down so easily).
• Install SNORT ( http://www.snort.org/ ) on it. Configure to work as a network IDS and keep it up to date with the latest vulnerability/virus plugins.
• Once SNORT gets wind of an infected machine, set it to do one of three things:
• • If you have the tech skills to set it up, have SNORT block out the switch port where the offending PC is plugged in AND send you a message. When the owner cleans up their act, reactivate the port and restore connectivity.
  • Else, have SNORT send you a message with all the details and YOU do the port blocking, if you can. The rest proceeds as above.
  • Else, have SNORT send you a message so you can bitch whomever has the capability to block the port. The rest proceeds as above.
• If your authority is so puny that you cannot do any of these things, you could resort to sending out a mail to all the rest of the users of the network, and letting them know who the miscreant screwing up their connectivity is, and let peer pressure do its thing...

Good luck!

Why does the network go down?

[g-san]

Have you figured out exactly why a few infected computers is bringing down your whole network? I could see if they are scanning local subnets, you would have a lot of broadcast ARP packets. If they are scanning remote network IPs, you may be filling up a cache on the outbound router. Are you sure you don't have a few people just playing with NMAP? Is it inbound traffic or outbound? Identify the nature of the traffic when the network implodes, look for a pattern, and see if you can mitigate that. Use ethereal for that.

This is a *switched* network isn't it? Hopefully yes, and with a firewall also. I really can't see why someone would need inbound tcp/135,137,138,139,445,1025 or udp/135,1026-1029 nowadays. That would prevent malware that is not spread by email or Explorer. I won't recommend you dictate the browser or email client people use, but it's a possibility to have a outbound web proxy not forward any requests from IE.

You might also want to look into snort, you could at least have it alert you when the problem starts, or shut down ports, but sounds like you have not had much luck with that. Note rather than drop people off the face of the earth, at least make sure they can get to antivirus sites and microsoft updates. This is tough without access to the infrastructure but would improve things.

Another suggestion is if you do not have alot of room to room traffic, and you do not have a 100mb conenction to the net, configure all ports to 10mb. At least that way it takes more than 10 users to flood your 100mbit backbone. And users accessing the net are always throttled by your outbound connection so they won't know the difference.

I assume you volunteered for this because you like like this stuff. Note that if you *did* spend more time on this problem than your schoolwork, and came up with a solution, you might not even need to finish school.

Re:Is this really that hard?

[tehcrazybob]

Indeed.

My school has a very effective setup for controlling outbreaks. To start, the network is MAC filtered. Any time you connect to the network with an unlisted MAC address, your browser is redirected to a page containing the university Terms of Service for the network. You read this information, toss in your university ID and password and click I AGREE, and the program adds your MAC to the list.

As outlined in the TOS, there are no warnings. If your computer exibits any viral behavior, your network access is removed. Unless your virus was email-related, you still have access to the mail servers. When you try to use the internet again, you are once again taken to a limited page, which politely tells you that your computer appeared to be infected with a virus. You are given basic cleaning information, as well as the tech department phone number and email address in case you need help. They can also provide you with tools like AdAware, since you won't be able to download these yourself. Then, once you are confident your computer is clean, you call the tech department, and they run a quick check to see that your computer is no longer showing viral activity. At this point, your network access is returned.

There are no warnings. As soon as you cause a problem, the problem (you) is removed. Once you fix the problem, access is restored. I don't know their policy for repeat offenders, but I assume there is something.

netsquid software package works well for this

[gabesk]

This is the method used at Texas A&M University, which I attend, for their residence hall network.

We use netsquid, http://netsquid.tamu.edu/, which is essentially some code that ties into snort to provide automatic filtering by mac address and notification.

It works quite well.

Our solution

[pehrs]

I have been working on a similar network for some time, and dealt with similar problems. I don't know if these are optimal solutions, but here is how we are doing it:

First of all, we have build a simple management system based around SNMPv3. You want this. Take a course in enterprise management or read up on it yourself. The day you stop writing scripts and use a management system instead is the day when you begin to come out on top of the problem. OpenWBEM can be a start if you want to know what can be done.

Here is our setup:
Incoming connections are blocked. There has been a discussion about removing this block and allowing "safe" ports. At the moment the issue is rather pointless as we are behind a NAT due to lack of IP space. Outgoing connections to DNS, SMTP and HTTP/HTTPS are filtered to force people to use our servers. Some of the more notorious p2p protocols are capped to keep the bandwidth usage from going insane.

We have a central register of users. To use the network you have to register and pay a symbolic sum each month. Then you get access to the connection in your room. You are responsible for what happens from your connection. This register gives us an easy way to contact users. To be allowed to join the network you have to sign a paper stating what you are allowed to do and not do. Our TOS are pretty restrictive, but without them we wouldn't be able to manage the net.

After some network outages (Code Red...) we have implemented a quarantine VPN. We have several IDS spread out, and if they detect a computer spreading malware they move the computer to the quarantine VPN. On this VPN the computer can /ONLY/ connect to the DNS server and the HTTP/HTTPS proxy server. This server provides the user with a message about the computer being infected, links to several sites with patches, free AV and updates. And a note that they will have to contact an administrator to get access renewed. The user can continue browsing freely, but don't do anything else. If they want to get back to the usual network they have to clean up their computer.

We also have several special checks for "evilness", most important rouge DHCP servers and ARP spoofing. Anybody caught by these simply get their connection pulled until they have explained themselves. Administrators are notoriously slow when it comes to returning connection to people knowingly doing malicious things on the network.