Handling Viruses in an Uncontrolled Network?

An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats. We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?" "Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).

I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."

No more access

[nizo]

Forcing people to have up-to-date virus/firewall software before they can even connect to the network would be a good start. Turning network connectivity off for offending computers/users for progressively longer spans of time after they infect the network seems like a good deterrent as well. I suppose posting the names of people who infect the network and bring it down might work, though the screams from the public beatings might make it hard for you to sleep at night.

Re:3 Strikes policy?

[lakeland]

Remainder of the year probably isn't smart in an environment that previously has seen no enforcement. I'd be using a sliding scale with punsihment at each stage in order to get people used to the idea that you are serious.

Something like: first offence, 24hr ban; second offence, 7 day ban; 3rd offence, 1 month; 4th offence, one year and an email to all 500 with the photograph of the person who has been stuffing up their computers.

Once you've got people used to the idea they will be punished you can swap to something like the 3 strikes policy. But at first you're going to get idiots testing you, and so two warnings is too soft while a year-long ban is hellova hard for a first punishment.

There are alternatives of course. Install an 802.11g network in parallel with strict rules. Disobey them once and you get a stern warning, twice and you're banned for life from it. That way you'll naturally see people migrate to the network which 'works' without the fight with idiots.

Oh, I'm assuming this is targetted at teenagers at or near college level. If you're dealing with mature adults then it is much easier.

Quarantine VLAN

[realyendor]

Assuming that clients are on a switched network, move the infected systems to a quarantine VLAN whose gateway IP is the same as the net they came from, but whose outbound requests are NAT'd instead of routed.

Then, use IPTABLES on the gateway to redirect any request on port 80 to a page that says, "You're infected--clean your system!" Maybe even provide them access to the tools necessary to clean their system via that same webpage.

Re:Is this really that hard?

[Vengeance_au]

Thats just wrong. Here in Australia, you lose your drivers license for drink driving, and you are not behind the wheel of a car for however long you get pinged (6 months being the minimum). You can plead the case in court, but there are very few exceptions made.

I fully support this policy - you decide to risk MY life on the roads, you pay the penalty. Can't get to work now that you've committed a crime and are doing the "time"? Well, hopefully you will realise how important having a license is to your life, and you won't ever drink/drive again. And also, be thankful you didn't injure or kill another road user, pedestrian or even yourself...

To segue this back onto topic, same rules should apply in this situation. You put others at risk or deny them access to the network due to your inability to load a freely available, well publicised and mandatory on the network you are using tool, then you do the "time". Access cut off and you can't work? Well, perhaps next time you will ensure the virus scanner and firewall software is running, you won't have the issue, and those around you are not impacted.