Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling Viruses in an Uncontrolled Network?

Posted by Cliff on

An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats. We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?" "Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).

I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."

16 of 579 comments (clear)

  1. Is this really that hard? by Scott+Lockwood · · Score: 5, Insightful
    Hm... Seems pretty simple to me.
    1. Have someone at the school make them sign something that says they will have virus protection and spyware protection on their machines, and that it be kept up to date. Failure to keep the machine clean can result in suspention of service at any time.
    2. When one of them has an infected machine that starts pinging the shit out of your network, Unplug them!
    3. Point to document mentioned in step 1 above when they start whinging about it.

    There see, that wasn't too hard!
    --
    But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
    1. Re:Is this really that hard? by fembots · · Score: 5, Funny

      Is 1. "Profit!!" ??

      --
      Rock that crushes, Paper & Scissors that don't matter.
    2. Re:Is this really that hard? by _Sharp'r_ · · Score: 5, Insightful

      Or slightly faster:

      1. IDS set to trigger on specific patterns and events (if you have been seeing this stuff on your network constantly, you'll know what to look for already.), you can even set some up free using FOSS.
      2. the IDS alerts then trigger shutting down their switch port and notify an admin. Depending on your switch port mapping database, you can even email the user.
      3. See Scott's post above for signature/cleaning cycle.

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    3. Re:Is this really that hard? by Anonymous Coward · · Score: 5, Insightful
      But theproblem is these are students and they have work to do. by pulling their plug you are not allowing them to get the work done that they are I presume there to do. So thats not an option.
      That's like saying you can't take a drunk driver's license away, because he needs it to drive to work.

      His "need" is his problem, not yours. He should have thought about that, before he decided to engage in activity that threatened other people.

      Fuck this whole "buy more filters" thing. Place the burden on the users, and then users who behave intelligently, won't have any burden. That is the fair thing to do.

    4. Re:Is this really that hard? by Chyeld · · Score: 5, Insightful

      To put this politely, if they can't be bothered to keep their system clean, they can't have access to the free network.

      To say that 'they have work that must be done' is ignoring the fact that the umpteen (insert hyperbolic number) other users ALSO have work to that must be done and in this case the good of the many out weighs the good of the few or one (damn, did I actually find a good excuse to use that line?).

      Yes, by all means, research methods to contain and control any outbreaks to reduce the issue when they do occur; but in this case prevention is far, far, more effective than mitigation.

    5. Re:Is this really that hard? by MrAnnoyanceToYou · · Score: 5, Funny

      Ah... nah. I'd say,
      "1. Write short document stating that in 'reparation for virus damage' computers would occasionally be confiscated when they managed to infect multiple computers connected to the local network
      2. Notify them of this agreement and make them sign it
      3. When one of them has an infected machine that starts pinging the shit out of your network, give them a 'first warning'
      4. Point to document in step 1 kindly, in writing, and create yourself an Ebay account.
      5. Repeat
      6. Profit and learn to laugh evilly."

      --
      My little site.
    6. Re:Is this really that hard? by tehcrazybob · · Score: 5, Informative

      Indeed.

      My school has a very effective setup for controlling outbreaks. To start, the network is MAC filtered. Any time you connect to the network with an unlisted MAC address, your browser is redirected to a page containing the university Terms of Service for the network. You read this information, toss in your university ID and password and click I AGREE, and the program adds your MAC to the list.

      As outlined in the TOS, there are no warnings. If your computer exibits any viral behavior, your network access is removed. Unless your virus was email-related, you still have access to the mail servers. When you try to use the internet again, you are once again taken to a limited page, which politely tells you that your computer appeared to be infected with a virus. You are given basic cleaning information, as well as the tech department phone number and email address in case you need help. They can also provide you with tools like AdAware, since you won't be able to download these yourself. Then, once you are confident your computer is clean, you call the tech department, and they run a quick check to see that your computer is no longer showing viral activity. At this point, your network access is returned.

      There are no warnings. As soon as you cause a problem, the problem (you) is removed. Once you fix the problem, access is restored. I don't know their policy for repeat offenders, but I assume there is something.

      --
      Computers need to explode more often.
  2. Simple. by Skudd · · Score: 5, Funny

    Write your own virus to send them massive payloads of anti-virus software. :P

    1. Re:Simple. by jemenake · · Score: 5, Insightful
      You need more power. Otherwise you will fail in your job
      Just about all of the posts thus far have been along the lines of "Pull the plug on the people who don't care until they *do* care.... IF the administration will let you."

      Here's an alternative to the "IF the administration will let you" part. Make use of the fact that nobody else really understands what it is the wizard (you) does behind the curtain:

      Implement whatever service termination solution you feel necessary (whether by writing/downloading some automated system, or by doing it manually yourself). When the offender calls to complain, *don't* say that they were shut off administratively. Tell them that the massive traffic from their machine "overloaded" the port they were on (tell them it's kinda like a circuit breaker on house wiring).

      They'll say that this never happened before. Tell them that they've got a newer, more-aggressive virus.

      They'll ask that their port be "reset". Tell them that, due to all of the machines that they helped infect, and to the convoluted process for "resetting" a port, there's a backlog of a couple days before you can get their port reset.

      Maybe they'll ask if you can just plug them into a different port. Tell them that they're all maxxed out.

      At some point, Administration might ask why this is happening. Tell them the same thing you told the users... new, nastier viruses. They might ask what new equipment they could get to fix the problem. Tell them that the BFS-9000 can do it... but it's very... very expensive. It would be much cheaper for everyone to just use virus protection.
  3. Uncontrolled Viruses by Anonymous Coward · · Score: 5, Funny

    Have you considered spankings? At least for the hotter co-eds. After all, they should know better.

  4. Move out? by Eezy+Bordone · · Score: 5, Insightful

    Seriously, volunteering to be THE on-site tech support for 500+ users is insane, especially since you're not even getting a discount on your housing. Quit the job or move out so you can worry about your own network.

    --

    -EB

    Do you ever walk alone like a drifter in the dark?

  5. Ban them by nadamsieee · · Score: 5, Insightful

    Isolate the computers that are spreading the virus and shut down their access to the DHCP server based on their MAC address. Then make the reconnect process as painful (yet educational) as possible. >:)

  6. Stop volunteering by lelitsch · · Score: 5, Insightful

    Seriously, it seem like this is an unsolvable problem and neither the users nor the administration seem to want to spend any effort in fixing it. So the sooner you realize that there is nothing you can do, the better. Help out with the IT system at your local Humane Society, womens shelter, or similar instead.

    Oh, and get your own DSL or cable modem.

  7. Stage virus drills by bigtallmofo · · Score: 5, Insightful

    Send them emails with executable attachments. If they click on the attachments, ban them from the network for a week.

    Send these out frequently. Soon they'll instinctually hit the DEL key when something with an attachment comes in.

    --
    I'm a big tall mofo.
  8. Re:NetReg by vco123 · · Score: 5, Informative
    1. With DHCP and Netreg, you do control the network. Keep your registered leases short ( 2 hrs ).
    2. Be sure to disable external DNS calls at the router ACL, to force people to use Netreg.
    3. Run 2 instances of BIND with Netreg and selective DNS forwarding to allow Windows Updates, LiveUpdate, IT Support and Spyware. ( see Netreg-l from last August).
    4. Bump infected computers out of registration, so that they can't phone home as easily. Alternatively, use groups with ISC DHCP to force an infected MAC to use the Netreg bogus DNS to "quarantine" them.
    5. If you can, ask the network dudes to disable 25,135,445/tcp for your unregistered IP ranges. That'll limit the infected PC a bit.
    6. If you start to see a virus frenzy, shut ports off fast. It'll save time later.
    I've run a 4000 computer RezNet this way for 4 years.
    As to infected computers, I'm working on a Netreg extension that includes a "Your're infected" group. It's like being unregistered, but DNS forwards to a virus notification page.
  9. netsquid software package works well for this by gabesk · · Score: 5, Informative

    This is the method used at Texas A&M University, which I attend, for their residence hall network.

    We use netsquid, http://netsquid.tamu.edu/, which is essentially some code that ties into snort to provide automatic filtering by mac address and notification.

    It works quite well.