North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

  • From: Sean Donelan
  • Date: Mon Jul 23 19:24:30 2007

On Mon, 23 Jul 2007, Joe Greco wrote:
Would it be better if ISPs just blackholed certain IP addresses associated
with Bot C&C servers instead of trying to give the user a message.  That
doesn't require examining the data content of any messages.  The user just
gets a connection timeout.

Compared to hijacking DNS and intercepting sessions? Yes. Absolutely. See, it isn't that hard to come up with better ideas.

That's what Verizon was doing. Guess what. People complained about it too.

Interestingly enough, some of us care.  Some of us care enough to run clean
networks AND to make sure that what we're selling isn't compromised by
deliberate DNS hijackings and site redirections.

But do include things like patching servers to filter messages that contain certain strings which might accidently catch a legitimate message on occasion. People probably complain about those things too.

It sucks when you are the one that gets caught by a false positive. Unfortunately, every attempt at anti-abuse systems have experienced it
at one time or another. Probably even some of the things you've done
over the years trying to run a clean network has accidently made a mistake.