[Full-disclosure] Re: Quarantine your infected users spreading malware

> As many of us know, handling such users on tech support is not very 
> cost-effective to ISP's, as if a user makes a call the ISP already 
> losses money on that user. Than again, paying abuse desk personnel just 
> so that they can disconnect your users is losing money too.
>
> Which one would you prefer?

from home :

# Training wheels for windows boxes. Stomp anything other than
# web ftp and ssh. If they need more they should run something else.
block in log on { $int_if, $wi_if }  proto tcp from any os Windows to any
pass in on { $int_if, $wi_if } proto tcp from any os Windows to any port { 80, 
443, 22, 21 } keep state

Tricks like max states and an overflow table help too. 

But worrying about 139 and 445 is just hole du jour. Worrying only about
windows is OS du jour.  The real problem is not Aunty Jane. It's twofold:

        1) Aunty Jane is naiive and easily socially engineered
        2) Aunty Jane is running crap that can either be directly compromised,
           or that makes it easier to do 1) above.

Packet filtering customers by default will make no difference as more
and more bad software comes out that simply embeds itself in web
protocols and the like that you simply can't block arbitrarily and
stay in business.

Wait for the first good VOIP propagating worm (humming "woo hooo woo
hoo hooo....)

        -Bob

        
        
        


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/