How should ISPs notify customers about Bots (Was Re: DNS Hijacking

Sean Donelan sean at donelan.com
Mon Jul 23 15:39:35 UTC 2007


On Mon, 23 Jul 2007, Joe Greco wrote:
> I think there's a bit of a difference, in that when you're using every
> commercial WiFi hotspot and hotel login system, that they redirect
> everything.  Would you truly consider that to be the same thing as one
> of those services redirecting "www.cnn.com" to their own ad-filled news
> page?

Let's get "real."  That's not what those ISPs are doing in this case.

They aren't pretending to be the real IRC server (the redirected IRC 
server indicates its not the real one).  The ISP isn't send ad-fill 
messages.  The irc.foonet.com server clearly sends several cleaning 
commands used by several well-known, and very old, Bots.  I might have 
given the server a different name, but its obviously not trying to 
impersonate the real irc server.

Do you prefer ISPs to break everything, including the users VOIP service 
(can't call 9-1-1), e-mail service (can't contact the help desk), web 
service (can't look for help)?  Or should the ISP only disrupt the minimum 
number of services needed to clean the Bot?



More information about the NANOG mailing list