North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

  • From: Suresh Ramasubramanian
  • Date: Mon Jul 23 22:55:38 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QNTWncBEhrAsX9F3ejfoggq2IwLQxmdL5G6dgdavhjyZ/f/eBqMKaA7UOWBH1ttYS2RQb5YUO+yydghE+fGhfG7b2Q88WxM3vAKE5cqtqEWN+7QW/UbzF9sSu4JBit1EEPbhdISMwdLQmMumPj1SdLK55tincb3kKy1L3hGqf6g=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ohwm2XSHRH656EjI22wWFS/sExgycfrdXnDNyM/8gbFpai+mMj7epPS+HlUATaJo9jCsTKbzmnFvnqVcj58jOsetkqfacn0eqacQeNHw4QwOXBp8HRmATBQzsTsa7QXIqKqYrmxTCtBt16w0jEESlBDgzXeLzjF+lGWXxB9eMU4=

On 7/24/07, Chris L. Morrow <[email protected]> wrote:

So, to back this up and get off the original complaint, if a service
provider can protect a large portion of their customer base with some
decent intelligence gathering and security policy implementation is that a
good thing? keeping in mind that in this implementation users who know
enough and are willing to forgoe that 'protection' (for some value of
protection) can certainly circumvent/avoid it.

Right. Let us get to best practices rather than debating ethics.

So how would you keep your network clean of infected PCs?

* Gather information (log parsers, darknet / honeynet traffic
monitoring, feeds from XBL type blocklists)

* Redirect "common" bot abused services like IRC by default either
across your network or on whatever part of your network you see bot
activity as evidenced from darknet etc observation (and run the risk
that right after you get that IP information, the infected XP box on
that IP is replaced not by another XP box but by a fully loaded geek
install of freebsd, rather than by an infected win2k box, a patched
vista etc)

* Walled garden type outbound IDS to quarantine an IP completely when
malware activity is noted.  Yes, irc bots arent the only kind of bots
- those are positively old fashioned, yes there can be multiple
malware on a single PC, yes, port 25 blocking to stop bots is treating
lung cancer with cough sirup (tip of the hat to Joe St.Sauver) ..

etc etc etc. A good BCP would be a nice thing to have around.