Why sysadmins don't just notify users about compromised machines

August 5, 2011

One of the possible reactions to the issue of banning the MAC addresses of compromised machines is to suggest that what sysadmins should do is not ban the machine but instead contact the machine's owner to tell them about the problem and get them to deal with it. Let me give you the sysadmin perspective on that.

To start with, let's agree that there are two sorts of compromised or infected machines that your IDS has detected: ones that are actively trying to do nasty things and ones that are just showing signs of infection, like phoning home to botnet controllers. The first sort have to be immediately quarantined when detected, so the real issue is what to do about the second sort of machines, which are mostly or entirely 'harmless' at the moment.

Ultimately, the reason that sysadmins don't just notify the machine's owner is that this rarely solves the problem. There are two aspects of this. First, there are a number of practical difficulties in getting in touch with the user:

  • while you have the identity of the person who registered the machine, this may not be the machine's current user.
  • the email address that you have for them may not be one that they check regularly, although this is really only a university issue.
  • it's possible that the malware they're infected with is filtering or otherwise intercepting their email. (I don't know if any current malware is this smart.)

Much more importantly, painful experience has shown sysadmins that if you just send people email, many machine owners either don't care at all or don't care enough to do painful but necessary things like reinstall their operating system from scratch. Even when people are compliant and willing, what they decide to do may not be anywhere near sufficient; they may just run a malware scanner or two and then declare that their machine is clean because those scanners showed nothing. You can spend a great deal of time doing what is basically nagging people and get no actual results from it, in the process wasting everyone's time and annoying everyone (assuming that people are even bothering to read your email).

Blocking machines more or less automatically has the great virtue (from a sysadmin's perspective) that it gives the machine's user no option to ignore the issue. One way or another, the machine's problem is going to get dealt with (or at least contained, if it stays off the network).

(Whether this is the right approach in general is another issue entirely, one that does not even start fitting in the margins of this entry. This entry is just about the sysadmin perspective.)

As a side note, all of this 'contact the user' stuff assumes that you know who the theoretical responsible person for a machine is. This is true in the situation in my first entry but is not necessarily true in general. This may be a peculiarity of universities, but you would be startled at how hard it can be to find out who is the technical person for a particular subnet, much less a particular machine, and then how hard it is to get in touch with them. Blocking machines and waiting for their users to speak up can be basically the only feasible way to find out who you need to talk to and get them to respond to your contact attempts.


Comments on this page:

From 71.56.100.181 at 2011-08-05 10:19:24:

I'm not sure where you are having these discussions, but it's entirely possible and also quite common that most people in the conversation are not sysadmins at all, or they are just stating their opinion based on gut feel instead of actual experience. It happens all the time on mailing lists, etc... many of the people are there because they are just generally interested in a topic, instead of actively engaged in it professionally.

It sounds to me like anyone advocating "just notify the user" is clearly not a sysadmin in a professional setting.

Written on 05 August 2011.
« On banning MAC addresses
Gnome 3: I'm out »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Aug 5 01:54:42 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.