Handling Viruses in an Uncontrolled Network?

An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats. We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?" "Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).

I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."

Re:NetReg

[vco123]

1. With DHCP and Netreg, you do control the network. Keep your registered leases short ( 2 hrs ).
2. Be sure to disable external DNS calls at the router ACL, to force people to use Netreg.
3. Run 2 instances of BIND with Netreg and selective DNS forwarding to allow Windows Updates, LiveUpdate, IT Support and Spyware. ( see Netreg-l from last August).
4. Bump infected computers out of registration, so that they can't phone home as easily. Alternatively, use groups with ISC DHCP to force an infected MAC to use the Netreg bogus DNS to "quarantine" them.
5. If you can, ask the network dudes to disable 25,135,445/tcp for your unregistered IP ranges. That'll limit the infected PC a bit.
6. If you start to see a virus frenzy, shut ports off fast. It'll save time later.

I've run a 4000 computer RezNet this way for 4 years.
As to infected computers, I'm working on a Netreg extension that includes a "Your're infected" group. It's like being unregistered, but DNS forwards to a virus notification page.

Re:Is this really that hard?

[tehcrazybob]

Indeed.

My school has a very effective setup for controlling outbreaks. To start, the network is MAC filtered. Any time you connect to the network with an unlisted MAC address, your browser is redirected to a page containing the university Terms of Service for the network. You read this information, toss in your university ID and password and click I AGREE, and the program adds your MAC to the list.

As outlined in the TOS, there are no warnings. If your computer exibits any viral behavior, your network access is removed. Unless your virus was email-related, you still have access to the mail servers. When you try to use the internet again, you are once again taken to a limited page, which politely tells you that your computer appeared to be infected with a virus. You are given basic cleaning information, as well as the tech department phone number and email address in case you need help. They can also provide you with tools like AdAware, since you won't be able to download these yourself. Then, once you are confident your computer is clean, you call the tech department, and they run a quick check to see that your computer is no longer showing viral activity. At this point, your network access is returned.

There are no warnings. As soon as you cause a problem, the problem (you) is removed. Once you fix the problem, access is restored. I don't know their policy for repeat offenders, but I assume there is something.

netsquid software package works well for this

[gabesk]

This is the method used at Texas A&M University, which I attend, for their residence hall network.

We use netsquid, http://netsquid.tamu.edu/, which is essentially some code that ties into snort to provide automatic filtering by mac address and notification.

It works quite well.