North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

  • From: Joe Greco
  • Date: Mon Jul 23 18:02:41 2007

> On Mon, 23 Jul 2007, Joe Greco wrote:
> >> Although this seems to be the first bit mistake in over two years, does
> >> that make the practice unacceptable as another tool to respond to Bots?
> >
> > The practice of blocking public EFnet servers?
> As I've said multiple times, sometimes mistakes happen and the wrong 
> things end up on a list.  I doubt that was the intent.
> Many people have suggested blocking C&C servers used by bots over the 
> years.

There's a difference between blocking actual C&C servers and blocking 
general IRC servers that are incidentally being used as C&C servers.

> > Yes, when there are better solutions to the problem at hand.
> Please enlighten me.

Intercept and inspect IRC packets.  If they join a botnet channel, turn on
a flag in the user's account.  Place them in a garden (no IRC, no nothing,
except McAfee or your favorite AV/patch set).

Wow, I didn't even have to strain myself.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.