Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling Viruses in an Uncontrolled Network?

Posted by Cliff on

An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats. We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?" "Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).

I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."

9 of 579 comments (clear)

  1. Is this really that hard? by Scott+Lockwood · · Score: 5, Insightful
    Hm... Seems pretty simple to me.
    1. Have someone at the school make them sign something that says they will have virus protection and spyware protection on their machines, and that it be kept up to date. Failure to keep the machine clean can result in suspention of service at any time.
    2. When one of them has an infected machine that starts pinging the shit out of your network, Unplug them!
    3. Point to document mentioned in step 1 above when they start whinging about it.

    There see, that wasn't too hard!
    --
    But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
    1. Re:Is this really that hard? by _Sharp'r_ · · Score: 5, Insightful

      Or slightly faster:

      1. IDS set to trigger on specific patterns and events (if you have been seeing this stuff on your network constantly, you'll know what to look for already.), you can even set some up free using FOSS.
      2. the IDS alerts then trigger shutting down their switch port and notify an admin. Depending on your switch port mapping database, you can even email the user.
      3. See Scott's post above for signature/cleaning cycle.

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    2. Re:Is this really that hard? by Anonymous Coward · · Score: 5, Insightful
      But theproblem is these are students and they have work to do. by pulling their plug you are not allowing them to get the work done that they are I presume there to do. So thats not an option.
      That's like saying you can't take a drunk driver's license away, because he needs it to drive to work.

      His "need" is his problem, not yours. He should have thought about that, before he decided to engage in activity that threatened other people.

      Fuck this whole "buy more filters" thing. Place the burden on the users, and then users who behave intelligently, won't have any burden. That is the fair thing to do.

    3. Re:Is this really that hard? by Chyeld · · Score: 5, Insightful

      To put this politely, if they can't be bothered to keep their system clean, they can't have access to the free network.

      To say that 'they have work that must be done' is ignoring the fact that the umpteen (insert hyperbolic number) other users ALSO have work to that must be done and in this case the good of the many out weighs the good of the few or one (damn, did I actually find a good excuse to use that line?).

      Yes, by all means, research methods to contain and control any outbreaks to reduce the issue when they do occur; but in this case prevention is far, far, more effective than mitigation.

  2. Move out? by Eezy+Bordone · · Score: 5, Insightful

    Seriously, volunteering to be THE on-site tech support for 500+ users is insane, especially since you're not even getting a discount on your housing. Quit the job or move out so you can worry about your own network.

    --

    -EB

    Do you ever walk alone like a drifter in the dark?

  3. Ban them by nadamsieee · · Score: 5, Insightful

    Isolate the computers that are spreading the virus and shut down their access to the DHCP server based on their MAC address. Then make the reconnect process as painful (yet educational) as possible. >:)

  4. Stop volunteering by lelitsch · · Score: 5, Insightful

    Seriously, it seem like this is an unsolvable problem and neither the users nor the administration seem to want to spend any effort in fixing it. So the sooner you realize that there is nothing you can do, the better. Help out with the IT system at your local Humane Society, womens shelter, or similar instead.

    Oh, and get your own DSL or cable modem.

  5. Stage virus drills by bigtallmofo · · Score: 5, Insightful

    Send them emails with executable attachments. If they click on the attachments, ban them from the network for a week.

    Send these out frequently. Soon they'll instinctually hit the DEL key when something with an attachment comes in.

    --
    I'm a big tall mofo.
  6. Re:Simple. by jemenake · · Score: 5, Insightful
    You need more power. Otherwise you will fail in your job
    Just about all of the posts thus far have been along the lines of "Pull the plug on the people who don't care until they *do* care.... IF the administration will let you."

    Here's an alternative to the "IF the administration will let you" part. Make use of the fact that nobody else really understands what it is the wizard (you) does behind the curtain:

    Implement whatever service termination solution you feel necessary (whether by writing/downloading some automated system, or by doing it manually yourself). When the offender calls to complain, *don't* say that they were shut off administratively. Tell them that the massive traffic from their machine "overloaded" the port they were on (tell them it's kinda like a circuit breaker on house wiring).

    They'll say that this never happened before. Tell them that they've got a newer, more-aggressive virus.

    They'll ask that their port be "reset". Tell them that, due to all of the machines that they helped infect, and to the convoluted process for "resetting" a port, there's a backlog of a couple days before you can get their port reset.

    Maybe they'll ask if you can just plug them into a different port. Tell them that they're all maxxed out.

    At some point, Administration might ask why this is happening. Tell them the same thing you told the users... new, nastier viruses. They might ask what new equipment they could get to fix the problem. Tell them that the BFS-9000 can do it... but it's very... very expensive. It would be much cheaper for everyone to just use virus protection.