[AusNOG] (bad) cyber security and ideas coming out of thewoodwork?!

[Sean K. Finn]

> From Zane
> Disconnect?  I hope not, but a wall garden concept is a great idea.  I
> understand it will make more work and cost more for the ISPs. But the infected
> hosts do have a negative impact on your network don't they?

We currently take a Walled Garden approach for infected hosts.

Keep in mind that some of these hosts are actively attacking other servers out there somewhere, most of the time @ 100Mbps towards their target. Walling them off in a gardened area allows a few things:

1. Limit the network damage that they are doing (PPS on local network, and limting obvious DDOS effects at end target)
2. Not disturbing the attacker *too* much, so that we can snoop,
3. Allowing us to log in, find the attack vector and close it down in real time.

If a host obeys a pre-determined 'healthy' period in the garden they are returned back to the general population.

If they don't get health, only after a couple of weeks will we disconnect them as a last resort. (Cant leave compromised boxes online forever, it's just not responsible).

We have the benefit of having walled gardens in the same location as the servers.

I'm not sure how feasible it would be for an ISP to have a walled garden for infected hosts at each and every exchange?

Backhauling evil traffic and filtering it centrally would seem a big waste of geographic network resources.

Sean.