North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

  • From: Sean Donelan
  • Date: Mon Jul 23 13:49:12 2007

On Mon, 23 Jul 2007, Joe Greco wrote:
So how do you connect to the real IRC server, then?  Remember that most
end users are not nslookup-wielding shell commandos who can figure out
whois and look up the IP.

If those users are so technically unsophisticated, do you really expect the other users with infected computers to figure out how to disinfect their computer and remove the Bots instead?

So you have potentially tens of thousands of infected computers with Bots making connections to an IRC server. You know many of those bots are well-known, old bots that have built-in removal commands. But 99% of those users don't have the technical knowledge to clean their machine themselves or know what a Bot is. On the other hand, you have 1% of users are sophisticated enough to use IRC servers. And a few percentage of overlap between the two groups.

What do you do?
a. nothing
b. terminate tens of thousands of user accounts (of users who are mostly "innocent" except their computer was compromised)
c. block all IRC
d. redirect IRC connections to a few servers known to be used by Bots
e. something else