[sdnog] Network Full with malicious activities

Nishal Goburdhan nishal at controlfreak.co.za
Thu Nov 22 11:45:47 SAST 2018 

On 22 Nov 2018, at 17:53, Khadiga Elhassan wrote:

> Hi all ,what is the most proper way of dealing with a network full of
> malicious activities . From where to start and does free anti-viruses 
> help?
> if yes which is the best?
> Would some one suggest a strategy or a policy to implement?
> Please specify in details..

hi khadiga,

you weren’t very specific;  malicious activities could be many things, 
and hosts themselves, could relate to a myriad more.  so i’ll write 
primarily about how you can contain some of these, inside a university 
network, since that’s where it seems you might be having these issues.

so, rule #1.  disconnect it!   ;-)
no really, i’m not joking;  disconnect the host.  the best and first 
thing you want to do is to take the infected hosts offline.
and, if the network segment is really badly infected, then, if it’s 
possible, take the entire segment offline.
that keeps the rest of your network safe, from these hosts, and, at the 
same time, prevents the infected machines from participating in any 
nefarious activity, or being compromised via a second vulnerability.

there are very few “safe” ways to recover from a compromise, or 
exploit.  and certainly, in the event of this being an “end-user” 
PC, i would format and re-image.  fortunately, for a lab environment, 
that’s easy to do, and there’s lots of tools that can help with 
that.  if it’s your own personal machine, well, this is why we have 
backups, right?  :-)
it might be tempting to try to remove files off the infected host.  do 
this *only* if you are 110% sure that the host you’re going to try to 
read this information off later, is immune to this sort of infection.  
otherwise, it’s not worth the risk ..

if they are windows machines, then yes, even the free anti-virus 
software can help prevent this.  i would certainly not dismiss this 
outright.  however, i’m not, and have never been, a windows lan admin, 
so perhaps other people here have better suggestions around software.

one way to limit the spread of infections is to limit the size of the 
network segments;  put each lab into their own layer-3 domain, and 
filter *both* in and outbound, to the lab.  that’ll help you contain 
thing easily;  especially for example, if you’re filtering udp 135-139 
  (and the other commonly abused ports).   of course - this needs to fit 
into your connectivity strategy; ie.  you don’t have devices 
“mapped” from other devices across the university, etc.

finally, make sure you have visibility into what’s happening in the 
network;  it’s not terrible difficult to setup monitoring of all 
switch ports  (librenms/cacti/etc), so you know which hosts are 
misbehaving, and of traffic going through your the lab uplinks 
(snort/suricata/etc) so you know what they are doing.  knowing *where* 
to look, and *what* to look for, is going to make all the difference, 
when you need it.

there a lot more that can be written about security, process and policy, 
but hopefully this has given you a start.

--n.

More information about the sdnog mailing list