[My credit goes to this clever hacker: http://www.aub.dk/~misak/index.php/archives/2004/10/27/35/]
I am a one of the administrators for a network with about 900 residential users. We have no control over what people are running on their computer and therefor we get our share (and more) of worms and vira on the network. Some of theese are wery agressive and slows the whole network down with arp broadcasts.
We are using squid as a proxy and I came up with a good idea (at least I think so) on how to use squid to force the users to clean their computers if it is infected.
The method is not bulletproof. The Squid server listen after arp broadcasts on the LAN and if a computer is sending more of theese than normal the IP address get in a ACL and the computer is prevented from accessing the internet except from a few selected sites such as windowsupdate and housecall.antivirus.com. The deny_info function in squid is used to notice the users that their computers are infected and that they need to clean it in order to get their normal internet access back. When the stops sending arp requests the IP is removed from the ACL.
#!/bin/sh
# Make sure the /etc/worms.txt file have at least one line of text
echo “10.0.0.1″ > /tmp/worms.txt
tcpdump -n -c 1000 arp 2> /dev/null | cut -d ” ” -f 6 | sort | uniq -c | perl -n
e ‘/s+(d+).(S+).*/; print “$2n” if $1>200′ >> /tmp/worms.txt
/usr/local/squid/sbin/squid -k reconfigure
Is run every 10 minutes or so and in squid.conf the following is added:
acl worms src “/tmp/worms.txt”
acl trend dstdomain .trendmicro.com .antivirus.com .akamai.net .microsoft.com
http_access allow trend worms
http_access deny worms
deny_info ERR_WORMS worms