North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On 7/24/07, Chris L. Morrow <[email protected]> wrote:
So, to back this up and get off the original complaint, if a service provider can protect a large portion of their customer base with some decent intelligence gathering and security policy implementation is that a good thing? keeping in mind that in this implementation users who know enough and are willing to forgoe that 'protection' (for some value of protection) can certainly circumvent/avoid it.
Right. Let us get to best practices rather than debating ethics.
So how would you keep your network clean of infected PCs?
* Gather information (log parsers, darknet / honeynet traffic monitoring, feeds from XBL type blocklists)
* Redirect "common" bot abused services like IRC by default either across your network or on whatever part of your network you see bot activity as evidenced from darknet etc observation (and run the risk that right after you get that IP information, the infected XP box on that IP is replaced not by another XP box but by a fully loaded geek install of freebsd, rather than by an infected win2k box, a patched vista etc)
* Walled garden type outbound IDS to quarantine an IP completely when malware activity is noted. Yes, irc bots arent the only kind of bots - those are positively old fashioned, yes there can be multiple malware on a single PC, yes, port 25 blocking to stop bots is treating lung cancer with cough sirup (tip of the hat to Joe St.Sauver) ..
etc etc etc. A good BCP would be a nice thing to have around.