North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On Mon, 23 Jul 2007, Joe Greco wrote: > > > Yes, when there are better solutions to the problem at hand. > > > > Please enlighten me. > > Intercept and inspect IRC packets. If they join a botnet channel, turn on > a flag in the user's account. Place them in a garden (no IRC, no nothing, > except McAfee or your favorite AV/patch set). Pleaes do this at 1Gbps, really 2Gbps today and 20gbps shortly, in a cost effective manner. Please also do this on encrypted control channels or channels not 'irc', also please stay 'cost effective'. Additionally, please do NOT require in-line placement unless you can do complete end-to-end telco-level testing (loops, bit pattern testing, etc), also it'd be a good idea to have a sensible management interface for these devices (serial port 9600 8n1 at least along with a scriptable ssh/telnet/text-ish cli). Looking at DPI (which is required for your solution to work) you are still talking about paying about 500k/edge-device for a carrier-grade DPI solution that can reliably do +2gbps line-rate inspection and actions. This quickly becomes non-cost-effective if your network is more than 1 edge device and less than 500k customers... Adding cost (operational cost you can only recover via increased user fees) is going to make this not deployable in any real network. > > Wow, I didn't even have to strain myself. > sarcasim aside, this isn't a simple problem and at scale the solutions trim down quickly away from anything that seems 'great' :( using DNS and/or routing tricks to circumvent known bad behaviours are the only solutions that seem to fall out. Yes they aren't subscriber specific, but you can't get to subscriber specific capabilities without a fairly large cost outlay. -Chris
|