[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060222151324.GF25149@bofh.cns.ualberta.ca>
Date: Wed Feb 22 16:37:17 2006
From: beck at bofh.cns.ualberta.ca (Bob Beck)
Subject: Re: Quarantine your infected users spreading
malware
> As many of us know, handling such users on tech support is not very
> cost-effective to ISP's, as if a user makes a call the ISP already
> losses money on that user. Than again, paying abuse desk personnel just
> so that they can disconnect your users is losing money too.
>
> Which one would you prefer?
>
from home :
# Training wheels for windows boxes. Stomp anything other than
# web ftp and ssh. If they need more they should run something else.
block in log on { $int_if, $wi_if } proto tcp from any os Windows to any
pass in on { $int_if, $wi_if } proto tcp from any os Windows to any port { 80, 443, 22, 21 } keep state
Tricks like max states and an overflow table help too.
But worrying about 139 and 445 is just hole du jour. Worrying only about
windows is OS du jour. The real problem is not Aunty Jane. It's twofold:
1) Aunty Jane is naiive and easily socially engineered
2) Aunty Jane is running crap that can either be directly compromised,
or that makes it easier to do 1) above.
Packet filtering customers by default will make no difference as more
and more bad software comes out that simply embeds itself in web
protocols and the like that you simply can't block arbitrarily and
stay in business.
Wait for the first good VOIP propagating worm (humming "woo hooo woo
hoo hooo....)
-Bob
Powered by blists - more mailing lists