How should ISPs notify customers about Bots (Was Re: DNS Hijacking
Joe Greco
jgreco at ns.sol.net
Mon Jul 23 16:02:06 UTC 2007
> On Mon, 23 Jul 2007, Joe Greco wrote:
> > I think there's a bit of a difference, in that when you're using every
> > commercial WiFi hotspot and hotel login system, that they redirect
> > everything. Would you truly consider that to be the same thing as one
> > of those services redirecting "www.cnn.com" to their own ad-filled news
> > page?
>
> Let's get "real." That's not what those ISPs are doing in this case.
I never said it was, but if you don't want to compare the situations
using reasonable comparisons (redirecting one thing is different than
redirecting all), then I have no interest in debating with you, and you
"win" for some sucky definition of "win."
> They aren't pretending to be the real IRC server (the redirected IRC
> server indicates its not the real one). The ISP isn't send ad-fill
> messages. The irc.foonet.com server clearly sends several cleaning
> commands used by several well-known, and very old, Bots. I might have
> given the server a different name, but its obviously not trying to
> impersonate the real irc server.
So how do you connect to the real IRC server, then? Remember that most
end users are not nslookup-wielding shell commandos who can figure out
whois and look up the IP.
And what happens when the ISP redirects by IP instead, if we're going to
play that game?
> Do you prefer ISPs to break everything, including the users VOIP service
> (can't call 9-1-1), e-mail service (can't contact the help desk), web
> service (can't look for help)? Or should the ISP only disrupt the minimum
> number of services needed to clean the Bot?
All right, here we go. Please explain the nature of the bot on my freshly
installed (last night) FreeBSD 6.2R box.
# ls -ld /; date; uname -r; uname -s
drwxr-xr-x 28 root wheel 512 Jul 22 23:04 /
Mon Jul 23 10:56:57 CDT 2007
6.2-RELEASE
FreeBSD
# echo "nameserver 68.4.16.30" > /etc/resolv.conf
# host irc.vel.net
irc.vel.net has address 70.168.71.144
Hint: there is no bot. My traffic is being redirected regardless. Were I
a Cox customer (and I'm not), I'd be rather ticked off.
Interfering with services in order to clean a bot would be a much more
plausible excuse if there was a bot. There is no bot.
So, to reiterate your own point:
> Or should the ISP only disrupt the minimum
> number of services needed to clean the Bot?
Yes, exactly. And that's obviously not what Cox is doing.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG
mailing list