sysadmin/WhyNotCompromiseNotification written at 01:54:42; Add Comment
Why sysadmins don't just notify users about compromised machines
One of the possible reactions to the issue of banning the MAC addresses of compromised machines is to suggest that what sysadmins should do is not ban the machine but instead contact the machine's owner to tell them about the problem and get them to deal with it. Let me give you the sysadmin perspective on that.
To start with, let's agree that there are two sorts of compromised or infected machines that your IDS has detected: ones that are actively trying to do nasty things and ones that are just showing signs of infection, like phoning home to botnet controllers. The first sort have to be immediately quarantined when detected, so the real issue is what to do about the second sort of machines, which are mostly or entirely 'harmless' at the moment.
Ultimately, the reason that sysadmins don't just notify the machine's owner is that this rarely solves the problem. There are two aspects of this. First, there are a number of practical difficulties in getting in touch with the user:
Much more importantly, painful experience has shown sysadmins that if you just send people email, many machine owners either don't care at all or don't care enough to do painful but necessary things like reinstall their operating system from scratch. Even when people are compliant and willing, what they decide to do may not be anywhere near sufficient; they may just run a malware scanner or two and then declare that their machine is clean because those scanners showed nothing. You can spend a great deal of time doing what is basically nagging people and get no actual results from it, in the process wasting everyone's time and annoying everyone (assuming that people are even bothering to read your email).
Blocking machines more or less automatically has the great virtue (from a sysadmin's perspective) that it gives the machine's user no option to ignore the issue. One way or another, the machine's problem is going to get dealt with (or at least contained, if it stays off the network).
(Whether this is the right approach in general is another issue entirely, one that does not even start fitting in the margins of this entry. This entry is just about the sysadmin perspective.)
As a side note, all of this 'contact the user' stuff assumes that you know who the theoretical responsible person for a machine is. This is true in the situation in my first entry but is not necessarily true in general. This may be a peculiarity of universities, but you would be startled at how hard it can be to find out who is the technical person for a particular subnet, much less a particular machine, and then how hard it is to get in touch with them. Blocking machines and waiting for their users to speak up can be basically the only feasible way to find out who you need to talk to and get them to respond to your contact attempts.
* * *