Slashdot Mirror
Handling Viruses in an Uncontrolled Network?
An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats.
We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?"
"Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).
I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."
I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."
There see, that wasn't too hard!
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
Forcing people to have up-to-date virus/firewall software before they can even connect to the network would be a good start. Turning network connectivity off for offending computers/users for progressively longer spans of time after they infect the network seems like a good deterrent as well. I suppose posting the names of people who infect the network and bring it down might work, though the screams from the public beatings might make it hard for you to sleep at night.
I Am My Own Worst Enemy
If you have gotten a job administrating a network for 500 computers, then it is not an uncontrolled network. YOU ARE THE ONE IN CONTROL. If there is currently no policy for restricting usage of the network based on client problems such as ignoring viruses, then I strongly suggest that you write one up now and implement it. Start blocking the MAC addresses of the users that are the abusers. If you just sit back and don't take control, you will soon find that students have little added value of your network and may start to move out, which might leave you without a job.
I'll leave it to other slashdotters who are network admins to flame the hell out of this guy.
You are DOOOOMMMMMED.
chemical castration might work
Linux is like living in a teepee. No Windows, no Gates, Apache in house.
Write your own virus to send them massive payloads of anti-virus software. :P
Have you considered spankings? At least for the hotter co-eds. After all, they should know better.
It sounds like you've been completely neutered. If at all possible, talk to the administration about instituting a "3 strikes" policy. That is, if someone's computer causes a network-wide issue 3 times, their network drop stops working for the remained of the year.
That'll clean their acts up in a hurry, or at least make your life easy.
Even Jesus hates listening to Creed.
Seriously, volunteering to be THE on-site tech support for 500+ users is insane, especially since you're not even getting a discount on your housing. Quit the job or move out so you can worry about your own network.
-EB
Do you ever walk alone like a drifter in the dark?
Isolate the computers that are spreading the virus and shut down their access to the DHCP server based on their MAC address. Then make the reconnect process as painful (yet educational) as possible. >:)
> What solutions have Slashdot readers came up with this and
> similar problems?"
Easy. Disconnect them at the first sign of virus trouble. Don't let them back until they can prove they've fixed it.
When their fresh new computer lasts an hour on the network before you pull it down, they'll soon decide to fix it.
If you can't put the bad users on a slow switch, and force them through an even slower proxy to make their life hell, then see if you can't organise a minimum disconnection period. Say 10 days or so to reconnect the idiots who keep getting infected. Since you control the dhcp server, you could filter them out by their mac address so they can't wander over to someone elses room to connect. Yes, they could probably circumvent this with a little knowhow, but let's face it, an idiot who's managing to become a virus writer's bitch every week isn't likely to have too much in the way of technical knowledge...
Code, Hardware, stuff like that.
Regarding revenge might help you come up with, shall we say, colorful solutions to your problem. Either that or figure out a way to have all of their papers "lost" due to the virus;-) In this regards, I would suggest that you channel your inner BOFH.
If brevity is the soul of wit, then how does one explain Twitter?
myswitch> (enable) set port disable
-dk
Dream with the feathers of angels stuffed beneath your head.
It really sounds like you're wasting your time.
You don't have control over the users, the machines, or the routers; so what the hell can you expect to do?
Sounds like the best option is to unplug the offending machines from the patch panel until they can demonstrate they are virus-free. Although that is likely not a viable solution if these are paying customers.
Seriously, it seem like this is an unsolvable problem and neither the users nor the administration seem to want to spend any effort in fixing it. So the sooner you realize that there is nothing you can do, the better. Help out with the IT system at your local Humane Society, womens shelter, or similar instead.
Oh, and get your own DSL or cable modem.
You need more power. Otherwise you will fail in your job ( unless you take to violence ).
Students need to be kicked off the network until their computers are clean. If they are kicked off x times, they are off until they come to you and sign a form saying they understand how to keep their computer clean. y more time(s), they are off for the rest of the semester.
Simple, effective. You will need a couple decent switchs capable of shuting down ports ( or you could just yank the wire ).
If you don't have this level of power over the network, get rid of any access you do have. The higher ups only want a scape goat.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Just reconfigure the guys that keep spewing to ether deny access, or return that the computer's IP address is 127.0.0.1.
When they come in complaining, babysit them at their computer.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Send them emails with executable attachments. If they click on the attachments, ban them from the network for a week.
Send these out frequently. Soon they'll instinctually hit the DEL key when something with an attachment comes in.
I'm a big tall mofo.
First off - something that EVERYONE should be doing - make sure spoofed packets dont leave your network. This helps you, and it helps those of us (like me) who run websites who are frequent victims of DDoS attacks - you just may reduce my DDoS from 3Gbit/sec to 2.9Gbit/sec :)
So... you know your internal addresses. You know your external addresses. At the external firewall, block all packets going out that don't have a matching source address in the header. Most all virii nowadays use spoofed headers to hide the actual source - simply block packets that match this criteria.
Second, you can use QoS at the firewall level to prevent one computer from using more than their share of bandwidth. Nearly all firewalls (even open source Linux and BSD solutions) offer quality QoS.
Third, you can identify virii that cause issues, and detect them - usually they are built with backdoors on a certain port - check for that port being open, and block their access.
Fourth, institute a punishment for students who don't fix their issues. One warning, then they lose access for a period of time. This needs to be their responsibility - just make sure that help is available to students who can't protect themselves, perhaps a student IT club can help them or something like that.
Depending on how sophisticated your switching hardware is, you might be able to implement QoS there, to prevent a single system from flooding the network. Additionally, you may be able to simply throttle back each port (if you have a 100Mbit uplink to the internet, set each port to negotiate only at 10Mbit).
Also, choose software packages for different platforms that you can recommend they use to fix any problems that arise - standardization makes management easier.
If you have the budget for it, you could look into locally placed firewall boxes whose focus is to detect and eliminate virii - they're expensive and less common than your standard SonicWall box, but can be found. Might be a last resort unless you have deep pockets.
Good luck!
by clogging the network, they prevent other people from doing thier work. It's standard procedure at some universities to shut off the ports of problem systems.
Free Mac Mini Yeah, it's
The idea is simple: Egress filtering.
Strict policies on outgoing traffic for untrusted networks is essential.
I would suggest a default policy of something like www, ssh, msn/aim im, p2p programs (possibly, depending on the uni's rules and regulations).
Providing you have a mechanism for giving the students access to other ports when necessary, then there should be no problem enforcing a strict egress policy.
I also don't have any control over the network infrastructure itself, just over our DHCP server.
With this you have all you need to run a NetReg server within your infrastructure. With this you can allow users to register their machines automatically. Any user with a virus or other such malware gets their dhcp entry deleted, and they are on a private network that goes to where you define. I would allow antivirus sites, antispyware sites, and windowsupdate only (or better yet, a local mirror).
Have them send an e-mail to user@host once this is complete and you can re-activate their lease.
Can I get an eye poke?
Dog House Forum
You're doing this for free? I wouldn't even do this job for pay -- unless it was something like Bill G's salary. You will never educate kids who will click on anything that promises free porn, download and use every ad/spyware infested P2P program out there, and not think it's their fault because they can't be bothered to even update their anti-virus.
The system will be in trouble continuously because even if most were actually responsible users, it only takes a few irresponsible ones to mess it up for everyone, and it will always be your fault!
And if, pray tell, things actually do run perfectly for a few hours, or days, don't expect any thank you's from that ungrateful crowd.
And as you said, you're not even getting paid for this. Bet this means you have effectively No Authority to fix anything or punish anyone otherwise. Try to kick off a multiple repeat offender and guess whose ass ends up in a sling when they go whining to the university president.
Have fun!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Students in our dorms have no need for Microsoft ports, which is the primary reason worms can take down the network. So i block port 137,138,139,445 at the switch port level.
Granted this doesn't solve the virus problem on the computer, but it sure does prevent it from taking down the rest of the network.
"those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness"
You're not looking at this realistically. The statement above betrays your frustration. You see the users as stereotypes of carelessness and stupidity.
So they buy faster computers when they get infected? And how often does your typical student buy a faster computer? Every day? Every week? I think not! Yet, how often do people get infected? From the way you describe the problem, it is quite often.
Users already have incentives to keep their computers virus free. Nobody likes getting a virus. It slows their computer down and makes it hard to use. They can't just run out and buy a new computer! Your harsh stereotyping is ignoring the reality of what students face.
So, the first step is to get a better understanding of the problem. Why not try talking to some users? Not just your techie friends, talk to the average person who knows only how to turn it on and run the few programs they use? I'll bet you'll find out that the real reason for the problem is not that people don't care, because they can just buy new computers! It is because they don't feel confident in their abilities to download, install and run the AV software, and to continue to use their computers with whatever small operational changes the AV software may impose.
I can't tell you for sure what the solution is, but the first step will be to understand the problem better. Resorting to stereotypes of users as malicious or uncaring is only going to take you farther from the solution.
"I also don't have any control over the network infrastructure itself, just over our DHCP server."
Well someone has control over the network infrastructure itself, and it's their job.
Standard I/O Error. Incompetent/Operator.
Simple as that. If they are damaging the network then they are a threat to the network and even if they buy a super fast machine to compensate... yippee fucking do.
Anything that damages the network as a whole must be blocked. Revoke their DHCP access, or something similar (I don't know how the network is routed, so I can't give a more detailed answer.)
When they learn to not get infected, then they can use the network again. It is that simple.
However, if you are in a position where you cannot do this (then I would walk away personally...) then look into using something like Hogwash (Those guys need some devlopment help BTW (Hint Hint Slashdot community - Hogwash is a wicked project...))
Try to hack my 31337 firewall!
First, if you have a core of machines you know to be well-configured, set up your DHCP server to give out ip addresses to only those machines, by MAC address. Anyone else who wants to use the DHCP server will need to convince you that they have antivirus software installed (and configured for automatic updates). Once they've convinced you, you add them into the list of MAC addresses recognized by the DHCP server.
That's not an easy fix at all. Who are you kidding? If you had to spend less than 5 minutes a week with each computer that's already over a 40 hour work week right there -- and I doubt any solution is that quick. You're not understanding the numbers involved here -- and that's not including travel time, plus being able to meet then on their schedule. Ain't going to happen with student users on broadband who feel it's their God-given right to abuse.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Comment removed based on user account deletion
Of many possible technical & organizational approaches, which you employ depends on what is your goal.
1. If your goal is to be a nice guy who doesn't bother anyone and gets all your studying done, then the most practical technique is to quit volunteering.
2. If you're a music or poly sci major who is not really interested in network administration as a career ... then cut your losses ... this sort of volunteering isn't really helping.
3. But if your goal is to get out of college with something helpful to put on your resume, then treat this like a professional opportunity! Show that you can do a top-notch job of network adminstration by learning the techniques, putting in the time including the hard-nosed ejection of malefactors, and allowing for that time in your study schedule.
After all, when you get your diploma, how many of your competitors are going to be able to say, "I managed a 500-node network, achieving X% of whatever metric most impresses employers.Given the choice between someone who got all A's and someone who accomplished something useful while getting decent grades ... who would you hire?
--- Attorneys Assisting Citizen-Soldiers & Families -
It sounds like your hands have been tied. I urge you to first seek more authority to demand that users install antivirus software. If the powers-that-be refuse to grant you the power to enforce that rule, your only solution is a social one.
Whenever someone's computer brings down the network, publicize his name. Find some way to make his neighbors hold him accountable. Believe me, it will happen. It won't take too many hazings (and rumors of hazings) before people shape up and install antivirus. Most people know about the need for antivirus, they're just too lazy and think "It won't happen to me." So motivate them.
Had this in tradeshows for years. If you cannot control both Layers 2 & 3, forget it.
You need to AT LEAST be able to login to the switches/routers to read MAC tables at the instant there's a problem. ARP would be nice too. You need make no changes, but read-only in non-negotiable. Otherwise give up the job.
Once you have that, you can perfect the steps to find out what's happening when it's happening. THEN you may use whatever eloquently violent steps others are suggesting.
A b/w mgmt appliance would also be a smart investment, they can provide unusual evidence that's remarkably useful. (We'd look at the top talkers, when TCP sessions >800/5 min, we'd know we're lookin' at a naughty person.)
If your responsible for an improvement of the situation, and you're not given the tools, then resignation is the only course. Sticking it out with your hands tied is pointless torture: you'll never get a break, and the torturer will get tired.
I forgot to mention, we used ettercap to detect attacks.
Ettercap:
http://ettercap.sourceforge.net/
Netreg:
http://www.netreg.org/
Netdisco:
http://netdisco.org/
Have you figured out exactly why a few infected computers is bringing down your whole network? I could see if they are scanning local subnets, you would have a lot of broadcast ARP packets. If they are scanning remote network IPs, you may be filling up a cache on the outbound router. Are you sure you don't have a few people just playing with NMAP? Is it inbound traffic or outbound? Identify the nature of the traffic when the network implodes, look for a pattern, and see if you can mitigate that. Use ethereal for that.
This is a *switched* network isn't it? Hopefully yes, and with a firewall also. I really can't see why someone would need inbound tcp/135,137,138,139,445,1025 or udp/135,1026-1029 nowadays. That would prevent malware that is not spread by email or Explorer. I won't recommend you dictate the browser or email client people use, but it's a possibility to have a outbound web proxy not forward any requests from IE.
You might also want to look into snort, you could at least have it alert you when the problem starts, or shut down ports, but sounds like you have not had much luck with that. Note rather than drop people off the face of the earth, at least make sure they can get to antivirus sites and microsoft updates. This is tough without access to the infrastructure but would improve things.
Another suggestion is if you do not have alot of room to room traffic, and you do not have a 100mb conenction to the net, configure all ports to 10mb. At least that way it takes more than 10 users to flood your 100mbit backbone. And users accessing the net are always throttled by your outbound connection so they won't know the difference.
I assume you volunteered for this because you like like this stuff. Note that if you *did* spend more time on this problem than your schoolwork, and came up with a solution, you might not even need to finish school.
Make public who got banned and how often. These guys will start to take care of their security if they get questions like "Surfing porn again, Dude?" and "Why did you get banned _again_ this month? Didnt you just requested access again?"
Others will get aware of the issue too and might be more careful.
Anyone that's smart enough to change their mac address, should be smart enough to keep spyware and viruses off their system.
Also my school used to require that students REGISTER their mac address in order to get access, and the switches / dhcp server would only allow registered macs in.
The student co-op where I lived had around 150-170 machines on the network at any given time. We required each user to 'register' through a php form on the local administrative box. Until the user had registered a given machine (mac address) we redirected all web traffic to the 'you must register to use the internet' page.
We generated id keys for each house member ahead of time and required that they have this key to register. When the user came to get the key we gave them a quick overview of what they should and shouldn't do and introduced them to the software cache on the local network (free AV software, firefox, ad-aware, etc..).
Once the user had the registration key in hand they could go back to their room & register their machine in their name (or any number of machines), we then cleared that MAC address for access to our dhcp server.
The benefit of forcing registration is that we knew who owned each machine and where the person lived. If any virus or trojan was bad enough to endanger network we could go to the switch for that person's floor and pull the plug on their connection.
Alternately if a machine on the network started spewing virus payloads we could just revoke dhcp access and boot the offender off the network - we didn't have to worry about notifying them of virus infestations, we could wait for them to come to us saying "my internet doesn't work, can you fix it?"
I'm a student at the University of Waterloo (Ontario, Canada), and they have a simple solution.
When you get to residence, you sign a form that says you agree to monitor your computer, keep it clean of viruses, up to date with Windows update, et cetera. The terms are made very clear in it. No agreement, no use of the university network.
On your first offence (banned p2p, virus, anything like that), your network drop is disabled until you pay $25 (Canadian dollars; cue jokes about 2 cents USD) and sign a form acknowledging what you did wrong and that you will take action to avoid it in the future. In addition you have to clean up whatever triggered the disconnect in the first place.
Second offense? Disconnected for the rest of the term. That's the end of that.
Hope it helps!
Join the Empire! http://www.empirereborn.net/
But the problem is these are students and they have work to do.
So what? Crap happens...virus ate your thesis, power went out, printer ran out of ink, blah blah blah. Thing is that if you are a responsible person you have contingencies in place to minimise or eliminate the impact of such incidents. If the work is important, you keep backups, spare ink cartriges, update your antivirus, OS, apps, etc...and most importantly you don't procrastinate to the point where you are in crisis mode. If you don't do all of the above then you should be prepared to follow Murphy's Law. If a mishap is unavoidable, you could be granted an extension.
Thing is, it is standard practice for net admins EVERYWHERE to pull the plug at their discretion should your computer be found to causing network disruption. Taht is a standard condition of almost all terms of service. My ISP would knock you off very quickly should they discover an open mail relay, ping flood or other unusual level of activity, and I pay extra for business-grade service. I agree with other posters here--this guy should put in some F/OSS tools to help manage these problems, and immediately terminate all network connectivity of infected machines ASAP.
"I have work to do" be damned. Seriously. Part of growing up and going to school is to learn--and people have to learn the consequences of their actions or inactions--that's life. You have to keep your house clean, pay your bills on time, obey the speed limit and traffic signals, etc. If you don't there are negative consequences. Same goes for PC use: ignoring the TOS, not updating your machine, downloading comet cursors and talking gorillas and chat icons and P2P warez is just inviting trouble. Users who repeatedly do those things despite warnings deserve no sympathy at all and should recieve all the wrath the BOFH can deliver.
Assuming that clients are on a switched network, move the infected systems to a quarantine VLAN whose gateway IP is the same as the net they came from, but whose outbound requests are NAT'd instead of routed.
Then, use IPTABLES on the gateway to redirect any request on port 80 to a page that says, "You're infected--clean your system!" Maybe even provide them access to the tools necessary to clean their system via that same webpage.
Disconnect them and have them pay YOU for a support visit to get decontaminated and reconnected for enough that it's worth YOUR time to do it. Present that to whoever you've volunteered your time to as the only workable solution... and either walk when they say no, or watch the problem fix itself as the word gets around.
We've heard from the:
//gs had a CRONTAB program!). Set their machine up so it automatically, every day, trys to download the latest and greatest updates for the OS, SpyBot, AdAware (or whatever you use), your virus protection program, etc.... The MOST IMPORTANT THING THOUGH - is to always explain what it is you are doing to the person's computer. Don't just dump a bunch of things onto their system. Bring a flyer that explains what it is you are doing and why. Set their system up so they can win and so they don't have to rely on you to be there to make everything function correctly. All of the virus/cookie/ad checking software out there can be set up to function on its own. Some of them (like most virus checkers) have their own scheduling software built in.
1. "It can't be done" crowd.
2. "Be tough about it" crowd.
3. "Go behind their backs" crowd.
and others....
How about this:
1. Get everyone's e-mail address so you can send all of them e-mail at the same time. How do you do that? Ask them to e-mail you - that's how. Of course, disinfect anything they send you because they probably will have a virus or two.
1a. How do you get all of them to send you the e-mail? Go buy some of those blank business card sheets (Avery I believe makes these), print up your message, get someone to help you break them apart, and then just tape them to each person's door. In this way you: 1)Don't have to talk to them, 2)Don't try to force them to do what they don't want to do, and 3)Can do it on your own time (like on a floor-by-floor basis). Cost: Probably about $10.00.
1b. Your message? It should be something like:
Dormitory SysAdmin needs your help!
We need your e-mail address as we
are trying to remove viruses and want
to be able to keep you informed. Thanks!
myemailaddress@thedorms.edu
1c. Put notices on doors leading into the dorm and/or bulletin boards also asking for e-mail addresses. If you can, have someone hand the things out to people as they come in and out of the dorms.
2. Set up a blog where everyone can meet and talk about problems. Use the e-mail addresses to send your notice out about the blog and how to access it.
3. Set up appointments with people to meet with them to show them how to protect their system from viruses, ads, cookies, and other problems.
Ok, let's say you've gotten some responses and want to start to go to other people's rooms to help them out. You want to:
4. Use the scheduler built in to every operating system currently in use (ie: Mac OS X, Windows98se and up, Linux, BSD, Solaris, etc...). For those OSs which are older (although I can't see anyone currently in college using an Apple ][+ or even Mac OS 9.x or earlier) download and bring with you some sort of a scheduler. (Even the Apple
4a. NOW! Here is the important thing! Set the virus/ad/cookie (or VAC for short) to AUTOMATICALLY e-mail you with the results. This too can be done via the scheduler. Give the automatically generated e-mail a special header (like [VIRUS|AD|COOKIE] REPORT FOR ROOM X). There are e-mailer programs for all operating systems which run from the command line. So just make a little batch program/shell script to create your report and e-mail it to you. Again, write it all down in the flyer you are going to give them so they don't freak when their system suddenly starts doing things (like checking for viruses or sending e-mail).
4b. Most virus software's report will read "VIRUS FOUND" and then tell you where and when the virus was found. Write yourself a short Perl/PHP/C/ script which will read these e-mails and sort out which one have viruses and which ones don't have them. Since you made the title have the room number on it - you automatically know who is having problems. So you can e-mail them back and set up a time to go over to fix any problems they might be having. Further, you can produce statistics on where the greatest problems are and post these fi
Someone put a black hole in my pocket and now I'm broke.
You should certainly punish the virus writers, if you can catch them. And you should possibly punish M$ for how big of a hole IE still is, even if Windows itself is better than it used to be. But none of that matters.
To use society's resources, you have to follow society's rules. I can go buy any car I want and drive it at 200 mph - on my own track. But if I want to drive on streets I have to follow the rules, as they apply to my actions (hitting things) even when they may not necessarily have a direct negative impact (speeding, driving on the sidewalks) have only a paper impact (licensing, insurance, registration) or only a preventative impact (headlights, brake lights...)
I can also go buy a used car and have the brakes suddenly fail, running over someone's garden. Note that even if I didn't know, I'm still responsible for the cost of that garden, (unless I JUST bought it and can pass the blame to the previous owner) If the brakes were recalled, it's still my fault for not getting them fixed. If they WEREN'T recalled, but should've been, then that's not my fault.
If you're already providing appropriate, simple, free, publicized resources _that they didn't use_ they are being negligent at best. Kicking them off until sometime after they fix it is a MINIMUM penalty for such negligence.
Argueably they should have to pay for the cost of your time to fix their computer (mandatory since they didn't do it the first time) and to repair any problems caused by their problem - and STILL be penalized in terms of being online.
(Personally I believe that a kick-until-fixed first warning is probably a necessary threshold of publicity - but even the second time they aren't listening I think it'd be very reasonable to escalate it.)
To be clear, I don't think it's reasonable in today's world to hold them accountable for anything their computer does. I think it's NECESSARY to hold them accountable for not following your security procedures to defend against it. Which means you're still going to be snuffed by the virus that exploits the OS hole noone has put out a patch for yet - and I wouldn't blame that on the first kid to get it.
I agree with the other posts - you have to get kick/ban/unplug authority, you have to quit, and/or you have to get paid. 1 of those might do...
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
No point beating around the bush - best to nip the whole problem in the bud.
:)
FWIW, in a college I lived in for three years we had absolutely no security for as many as 1000 people, and we never had any significant network issues, despite the constant virii and other malware roaming around.
IMHO, the best solution is to just "shape" bad users down to the slowest speed possible - dialup if your switch supports QoS for it, otherwise just 10 m/bit or similar. One bad user getting disconnected and whining to someone above you could get you in a bit of trouble - but sapping their speed won't be a reprimandable offense, and will curtail a large part of the problem.
And I wouldn't worry too much about being speedy about removing the limits - just tell them the system is updated once a week, and the next update happens to be just under 7 days from whenever they demand it.
You say you only control the DHCP server. In that case that's the end of your responsibility. Make sure the DHCP server remains stable and healthy. Make those who control the network deal with the problem. There are ton's of solutions to this problem but since you are not really in control of many parts of the network its not your problem.
The most powerfull goal you have here is to segment your network.
You can do this strictly through the DHCP server by using several scopes.
Pass out the following IP's and give your main gateway multiple IP's, or have a machine act as proxy (with multiple gateway ip's for your lan's).
With enough segments, you can isolate problem PC's down to groups of ten or less depending on how you break up your private (or even public) ip's. This will make the majority of others users on your network unroutable to malicous virus's.
Just make sure your gateway (the one with all the .1 IP's for each segment) doesn't route traffic through itself to the other segments.
Gateway = 172.30.1.1, *.2.1, *.3.1, *.4.1, etc....
172.30.1.1 255.255.255.0
172.30.2.1 255.255.255.0
172.30.3.1 255.255.255.0
172.30.4.1 255.255.255.0
etc........
If you have a minimal budget, and your users dont need public IP's, you can buy a bunch of SOHO routers... for about 10-15$ a piece.... 300$ can get you 20 linksys's....
put 25 users on each linksys (with the WAN ports connected to your gateway).... and your users cant directly attack each other (except for the smaller networks behind the linksys's.
If your users have no need at all for direct access to each other... just set out your scope as 255.255.255.255.
192.168.1.1-255 / 255.255.255.255 gateway: 192.168.1.1
now you r users can only reach the gateway and themselves.
As to email virus's, with DHCP you can force traffic to move through any machine you like, and set up a proxy between your "real" router and the network.... that proxy can filter port 25.... looking for viral email.
These solutions arent perfect, but they will greatly slow down propagation across your network, allowing you to respond much faster to problem children without having one bad computer infect everyone else. --VISION
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
If all you've got is control of the DHCP server, your hands are pretty tied. I would suggest setting up fixed leases and BOFH'ing students into submission. Kill the lease of infected machines, then bring 'em back once the infected system is clean. You don't have to be a dick about it, just bring the system back on at your leasure. Of course, you've got class all day and an exam tomorrow, oh and you're going home for the weekend...
Make it clear in polite, simple terms what the users responsabilities are, what will happen if they don't keep their system clean, and why you have to take the action you do. Maybe put together a standard "so you fucked up your system and got kicked off the network" sheet. Educate as much as possible. Yes it feels like you're talking to a wall. But the users will either evolve (get sick of being off the net) or die (find other ways of getting their computering needs met.)
Some people have suggested Microsoft SUS. You need to be able to apply a group policy, or make registry changes on the remote machine. Since you're not inchage of the domain controller, this is a moot point. Also, SUS only works on XP and 2000, so it may not help all users.
There are some people that if they don't know, you can't tell 'em.
This is the method used at Texas A&M University, which I attend, for their residence hall network.
We use netsquid, http://netsquid.tamu.edu/, which is essentially some code that ties into snort to provide automatic filtering by mac address and notification.
It works quite well.
Reading your article, I get the impression that you've tried appealing to both the users and the powers that be without much success. It seems obvious that whatever solution you decide to implement is going to involve a lot of your own time and effort. I suggest you make it worth your while. I don't know what is your particular area of study, but it probably wouldn't be too hard to come up with a way to get some credits for working on this problem. The IT connection is obvious. If you are LA you should be able to work in an angle in psychology, sociology, even some sort of human/technology interface thing for the sciences. Two or three independent study credits might go a long way toward mitigating your frustration. Don't give up if the obvious professors are not responsive - it shouldn't be too hard to find an LA professor delighted to sponsor a program solving a technical problem with a humanistic approach.
As far as method...I suggest you take your lead from the hacker/cracker community. Implement a Social Engineering attack. There are many fine examples of specific techniques to be found in the comments of this thread. I especially like the "scarlet V" approach. I suggest the following:
- "anyone who gets infected is a lamer old school twerp who is so behind the technology curve that they can't even stop high school script kiddies from using them like zombie flesh puppets"
- "allowing your owned machine to infect the local net is dissing everyone in the dorm - especially if you are too clueless to know how to prevent it"
- "you're getting played, you clueless dork, every time you click that stupid 'yes' button it's like bending over and dropping your drawers"
I'm sure you can do a much better job coming up with the proper approach. Just remember that establishing the proper attitude is key - even a few people is a good start. Then public humiliation and shame will work wonders. One advantage of this solution is it will stay with the users after they leave the influence of a network tech fix. Hey, maybe you'll change the world. At least it could help you get a little closer to graduating - and add some stretch to your resume. It might also help you get a little more respect from the powers that be when you slap down your independent study paper with the big, fat 'A' on the cover.
billy - who went to UT - volunteer is NOT a dirty word
I have been working on a similar network for some time, and dealt with similar problems. I don't know if these are optimal solutions, but here is how we are doing it:
/ONLY/ connect to the DNS server and the HTTP/HTTPS proxy server. This server provides the user with a message about the computer being infected, links to several sites with patches, free AV and updates. And a note that they will have to contact an administrator to get access renewed. The user can continue browsing freely, but don't do anything else. If they want to get back to the usual network they have to clean up their computer.
First of all, we have build a simple management system based around SNMPv3. You want this. Take a course in enterprise management or read up on it yourself. The day you stop writing scripts and use a management system instead is the day when you begin to come out on top of the problem. OpenWBEM can be a start if you want to know what can be done.
Here is our setup:
Incoming connections are blocked. There has been a discussion about removing this block and allowing "safe" ports. At the moment the issue is rather pointless as we are behind a NAT due to lack of IP space. Outgoing connections to DNS, SMTP and HTTP/HTTPS are filtered to force people to use our servers. Some of the more notorious p2p protocols are capped to keep the bandwidth usage from going insane.
We have a central register of users. To use the network you have to register and pay a symbolic sum each month. Then you get access to the connection in your room. You are responsible for what happens from your connection. This register gives us an easy way to contact users. To be allowed to join the network you have to sign a paper stating what you are allowed to do and not do. Our TOS are pretty restrictive, but without them we wouldn't be able to manage the net.
After some network outages (Code Red...) we have implemented a quarantine VPN. We have several IDS spread out, and if they detect a computer spreading malware they move the computer to the quarantine VPN. On this VPN the computer can
We also have several special checks for "evilness", most important rouge DHCP servers and ARP spoofing. Anybody caught by these simply get their connection pulled until they have explained themselves. Administrators are notoriously slow when it comes to returning connection to people knowingly doing malicious things on the network.
How to determine the height of a building with a barometer. Sell the barometer. Buy equipment suitable for measuring the height of a building.
You're trying to solve the problem with the tools you have. This is not adequate. You need better tools. Talk to other people who run networks. Decide what you need to be able to do your job. Explain the problem to the higher ups. Ask for the right to do certain things to protect the network.
I work with exactly the same situation, helping maintain a halls of residence network where machines are owned by the students. We have a the following setup which seems to work pretty well:
:p)
:-)
1. the switches drop any traffic between machines in the network to stop malicious traffic propagating, (except to the server obviously
2. all students data quantities are monitored so if a student is using a large amount of bandwidth consistently over a number of days an enquiry is made into whether the student is aware that they are sending/recieving a lot of data. If they were only downloading linux distros or something thats fine, however if they were only checking email then they machines connection is blocked until a virus scan is complete and the machine is fixed.
3. Regarding security, a CD and infosheet is handed to users on arrival to the halls with a slip they have to sign saying that if their machine is found to be sending viruses/spam etc then it will be disconnected from the network until it is fixed (by them). The CD contains Spybot/Adaware and AVG antivirus for those who don't have antivirus software.
4. Ports access is heavily restricted, no p2p traffic for example. (I'm from the UK and the laws that were explained to me are that if a company/organisation runs a network which is engaging in illegal activity then the company is just as liable for copywrite theft as the users are, as they are responsible for their network and must take "reasonable" actions to prevent it)
As a warning you will get a lot of flak from students for "restricting the access that they paid for!" even though in the actual halls contract that they sign is states that "internet access is provided for academic use only".
While this seems a little harsh if people really wanted to do LAN gaming for example they can always set up a separate network to do so.
Hope that helps
Sam
Warning, comments may not have been passed by the sanity department of my brain.