Handling Viruses in an Uncontrolled Network?

An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats. We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?" "Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).

I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."

No more access

[nizo]

Forcing people to have up-to-date virus/firewall software before they can even connect to the network would be a good start. Turning network connectivity off for offending computers/users for progressively longer spans of time after they infect the network seems like a good deterrent as well. I suppose posting the names of people who infect the network and bring it down might work, though the screams from the public beatings might make it hard for you to sleep at night.

chemical castration

[Kyle+Hamilton]

chemical castration might work

Easy fix.

[baryon351]

> What solutions have Slashdot readers came up with this and
> similar problems?"

Easy. Disconnect them at the first sign of virus trouble. Don't let them back until they can prove they've fixed it.

When their fresh new computer lasts an hour on the network before you pull it down, they'll soon decide to fix it.

Re:Is this really that hard?

[Saven+Marek]

But theproblem is these are students and they have work to do. by pulling their plug you are not allowing them to get the work done that they are I presume there to do. So thats not an option. What you have to do is look for a better firewall for the network so it doesnt allow any virii in in the first place.

Also, spread some routers out in the network that can actively block virii attacks. That way you are restricted to only part of the network causing problems and problems are kept within the source, or close to it

Turn their ports off

Get a switch with some management software and start shutting off ports when their boxes go Zombie. Increase the off time with every infraction. They'll learn to fix their stuff pretty quick.

Paging IT Department

[iridium18]

"I also don't have any control over the network infrastructure itself, just over our DHCP server."

Well someone has control over the network infrastructure itself, and it's their job.

They have a Virus? CUT THEM OFF.

[Mr.+Flibble]

Simple as that. If they are damaging the network then they are a threat to the network and even if they buy a super fast machine to compensate... yippee fucking do.

Anything that damages the network as a whole must be blocked. Revoke their DHCP access, or something similar (I don't know how the network is routed, so I can't give a more detailed answer.)

When they learn to not get infected, then they can use the network again. It is that simple.

However, if you are in a position where you cannot do this (then I would walk away personally...) then look into using something like Hogwash (Those guys need some devlopment help BTW (Hint Hint Slashdot community - Hogwash is a wicked project...))

Use the DHCP server as a reward

[Ktistec+Machine]

First, if you have a core of machines you know to be well-configured, set up your DHCP server to give out ip addresses to only those machines, by MAC address. Anyone else who wants to use the DHCP server will need to convince you that they have antivirus software installed (and configured for automatic updates). Once they've convinced you, you add them into the list of MAC addresses recognized by the DHCP server.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Easy fix. -- NOT!

> Ain't going to happen with student users on broadband who
> feel it's their God-given right to abuse.

if you're taking notice of what students FEEL is their right, then you're starting off on the wrong foot right there.

Re:3 Strikes policy?

[lakeland]

Remainder of the year probably isn't smart in an environment that previously has seen no enforcement. I'd be using a sliding scale with punsihment at each stage in order to get people used to the idea that you are serious.

Something like: first offence, 24hr ban; second offence, 7 day ban; 3rd offence, 1 month; 4th offence, one year and an email to all 500 with the photograph of the person who has been stuffing up their computers.

Once you've got people used to the idea they will be punished you can swap to something like the 3 strikes policy. But at first you're going to get idiots testing you, and so two warnings is too soft while a year-long ban is hellova hard for a first punishment.

There are alternatives of course. Install an 802.11g network in parallel with strict rules. Disobey them once and you get a stern warning, twice and you're banned for life from it. That way you'll naturally see people migrate to the network which 'works' without the fight with idiots.

Oh, I'm assuming this is targetted at teenagers at or near college level. If you're dealing with mature adults then it is much easier.

Re:Is this really that hard?

[hrieke]

Simple enough, those students who are unplugged due to excessive virus / pinging / flooding / bandwidth hogging app can use the public PCs in the Library, Comptuer Lab, and elsewhere.

Re:Is this really that hard?

[CyanDisaster]

...But theproblem is these are students and they have work to do...

There are others that have work to do as well.

...by pulling their plug you are not allowing them to get the work done that they are I presume there to do...

But by pulling their plug, it allows the rest of the network to have access to the internet again, in addition to stopping the propagation of the virus that brought down the network in the first place.

...So thats not an option...

So it's much more important to deny everyone access to the network, rather than just a select few who would otherwise ruin it for everyone else?

...What you have to do is look for a better firewall for the network so it doesnt allow any virii in in the first place...

No argument here. Stop the attacks before they start. Prevent the viruses from getting into the network in the first place. Also, maybe make sure that they sign a form stating that if there is any abnormal network traffic coming from their computer, that they know that they will be disconnected in order to (attempt to) prevent additional network problems because of it.

Just my thoughts...

Hope be with ye,
Cyan

Quarantine VLAN

[realyendor]

Assuming that clients are on a switched network, move the infected systems to a quarantine VLAN whose gateway IP is the same as the net they came from, but whose outbound requests are NAT'd instead of routed.

Then, use IPTABLES on the gateway to redirect any request on port 80 to a page that says, "You're infected--clean your system!" Maybe even provide them access to the tools necessary to clean their system via that same webpage.

There is NO POINT...

... in installing antivirus software as they can only detect OLD viruses ! ... in installing anti ( spyware, mailware, spamware ) in operating systems that support automatic script ( or anything ) execution.

You all know what OS I'm talking about...

Re:Easy fix. -- NOT!

[argent]

Disconnect them and have them pay YOU for a support visit to get decontaminated and reconnected for enough that it's worth YOUR time to do it. Present that to whoever you've volunteered your time to as the only workable solution... and either walk when they say no, or watch the problem fix itself as the word gets around.

Re:Is this really that hard?

[Vengeance_au]

Thats just wrong. Here in Australia, you lose your drivers license for drink driving, and you are not behind the wheel of a car for however long you get pinged (6 months being the minimum). You can plead the case in court, but there are very few exceptions made.

I fully support this policy - you decide to risk MY life on the roads, you pay the penalty. Can't get to work now that you've committed a crime and are doing the "time"? Well, hopefully you will realise how important having a license is to your life, and you won't ever drink/drive again. And also, be thankful you didn't injure or kill another road user, pedestrian or even yourself...

To segue this back onto topic, same rules should apply in this situation. You put others at risk or deny them access to the network due to your inability to load a freely available, well publicised and mandatory on the network you are using tool, then you do the "time". Access cut off and you can't work? Well, perhaps next time you will ensure the virus scanner and firewall software is running, you won't have the issue, and those around you are not impacted.

Re:Is this really that hard?

[Altrag]

There's an even more serious problem with the argument. Drunk driving is an active offense. You have to consciously make the choice to drink and you have to (semi-?) consciously make the choice to drive while drunk.

Letting yourself get infected is a passive offense -- all you have to do is nothing. And nothing is a fairly easy thing to do when you don't even understand the risks (regardless of how many times you're told, in some cases...)

Its tempting to bring out the old "this is like guns being banned because you might shoot someone" argument, but really its not like that at all..

Its more along the lines of knives being banned because there's a possibility that some nefarious teenager will break into your dorm, steal the knife, and use it to slash your neighbor's porn collection..

But then again this is the real world and most teenagers would probably just steal the porn in the first place and be done with it.

Re:Sure it's an option

[r_jensen11]

I work as a "student advisor" at Leeds University and every student is issued with a free license to McAfee Virusscan Enterprise.

When connecting for the first time, they have to enter their university username and password so the IP address can be tied to their MAC address and the computer logged.

If their software detects viral traffic from their PC, they're automatically cut off from the net and a webpage comes up explaining why. They don't get re-connected until myself (or one of my colleagues) verifies they have virus scanning software installed and their PC is clean.

First few weeks of term there were a lot of people cut off, but virus infections now are next to nothing because everyone has the software running.

Apart from this, the internet connection here is extremely good. Fast and reliable, and no port blocking.

I really hope that the software isn't required to be running to have access to the internet, because otherwise it would be screwing Linux users over big time.

Re:Is this really that hard?

[clifyt]

"A wonderful Mac user decided to start up an Airport and serve DHCP."

Heh! I did that once :-)

I run a small office for my university as well as being the geek for a larger department and thus felt justified by installing an airport for my own needs. We are confined to a 1930s office building in the basement, so its not like I was transmitting into space -- there is so much concrete here that it blocks anything more than 30 feet from the wireless -- just enough so that we didn't have to plug in everytime someone needed to do a presentation or pull out their personal laptop to throw some info on the LAN.

Anywho, a few weeks later I find out that our network operations people are scouring the building looking for a rogue DHCP server thats killing peoples connections...turns out it was my device.

Who'd have thunk Apple would have set the damn device to transmit DHCP on the LAN side of things...it was all supposed to happen on the wireless and the local ethernet port. The thing was so well built for its time and so easy to run (unlike most of the other wireless devices when it first came out) that I didn't even think about it.

Embarassing...