[ previous ] [ next ] [ threads ]
 From:  Mike <lists at southwestech dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Latest virus kills m0n0wall
 Date:  Sun, 12 Aug 2007 02:26:47 -0600
Lee Sharp wrote:
> Replying to myself again...  Updates to all, and this seems the best way 
> to thread it.

Wow... I snipped the log, sorry, informative but too much to include in 
a reply as it will be long winded enough.
I agree that likely this is your problem, or a variant. This is now 
turning into more of a "political" issue than a technical one though. 
Perhaps you should sit with management and explain to them that you 
can't be responsible for the systems on the network, but you can be 
responsible for the network. What I mean by that is any system on the 
network causing issue, may be removed at your discretion. I am sure you 
are aware of this, but I just threw it out there anyways. Bottom line 
is, the one (or eight) PC's are bringing down everyone, and affecting 
business, and should be culled with a straight-to-the-point warning. Fix 
it or lose it (the connection). That is just my .02 ;-)- track them 
using static DHCP or whatever so that you can narrow it right down.
The hotels and hot spots I manage all use a portal page- as I am sure 
yours do too. It clearly defines the AU policy, and the consequences of 
abuse, so there is no cause to whine when they get the boot for 
inappropriate use. While this may not be intentional abuse, it is still 
abuse. This doesn't fix your problem, I know, but gives a bit of 
insight. You are going to fry yourself trying to keep up with this.
On to the possible solution: Again, I will nag on shutting down ports. I 
really think this is the only short term solution for now. This storm 
worm has been around for a bit now, and is really picking up steam. It 
may very well curb soon, but another one will replace it. It will be a 
lot of work initially, but worth it in the end. Combined with this 
though, I think if you aren't using the portal, you should, no 
authentication, just a disclaimer. Explaining in very plain terms why 
WoW isn't working, or why they can't download music etc. That way the 
guests are informed. Also, it may not hurt to have the hotel staff 
create a document to place in the rooms. If you explain it to the 
management in terms they can follow, I am sure they will understand. The 
guests might get pissed, but you can't be expected to contain their 
shortcomings in the way of security.
Another trick I used is to segregate the rooms. I did this by using 
switches or bridges combined with switches for the wireless setups. 
Smaller hotels got one bridge per room- no switch, large hotels had the 
rooms segregated into blocks of rooms on a single bridge. At least then 
I could say what room it was, or what block of rooms by referencing the 
guilty IP. Using this, I can narrow it down to a guest, and if they are 
causing a major issue, the hotel staff will call their room and inform 
them of the problem, and the consequences. Maybe this is not feasible 
for you now, but it is something to keep in the back of your mind *if* 
the hotel is not afraid to spend a little to curb this problem. If it 
happened to be a block of rooms, then it gets more difficult, but I have 
on occasion shut down a whole block of 5 or 6 rooms. Usually the culprit 
is the first to phone the desk and complain, and when they are 
complaining, you can usually get the IP out of them in the course of 
"troubleshooting" and go from there- us sneaky bastards. If it is the 
offending IP, I shut it out for the night and play dumb, but turn the 
switch back on for the other rooms. You will find the odd one savvy 
enough to assign an IP, but it is easy enough catch them again. Without 
going into too much detail- block a is a 10.10.12.x, b a 10.10.13.x, etc 
(multiple interfaces, multiple WAN connections and m0n0's depending on 
the number of rooms). DHCP is set to a range of rooms+1, and anything 
falling outside the DHCP range is usually your culprit for the static 
IP. A bit of a gong-show, but it works.
I have only had to use this setup in the problem hotels- like yours- 
extended stay hotels for the oil crews etc. I sure would like to find a 
way to make sure individual rooms receive the same IP every time though, 
without the addition of a pile of equipment like in my above example. 
Any ideas?

One thing I hate to point out, is that the longer this drags on, the 
more it will chew at your credibility with that business. Best to cut it 
off as soon as possible, even if it isn't the solution you ideally want, 
it will buy you some time to find the proper solution. It will make you 
look like a genius/ hero ;-)

*whew* done.