How should ISPs notify customers about Bots (Was Re: DNS Hijacking

Sean Donelan sean at donelan.com
Mon Jul 23 16:42:22 UTC 2007


On Mon, 23 Jul 2007, Joe Greco wrote:
> So how do you connect to the real IRC server, then?  Remember that most
> end users are not nslookup-wielding shell commandos who can figure out
> whois and look up the IP.

If those users are so technically unsophisticated, do you really expect 
the other users with infected computers to figure out how to disinfect 
their computer and remove the Bots instead?

So you have potentially tens of thousands of infected computers with Bots 
making connections to an IRC server.  You know many of those bots are 
well-known, old bots that have built-in removal commands.  But 99% of 
those users don't have the technical knowledge to clean their machine 
themselves or know what a Bot is. On the other hand, you have 1% of users 
are sophisticated enough to use IRC servers.  And a few percentage of 
overlap between the two groups.

What do you do?
   a. nothing
   b. terminate tens of thousands of user accounts (of users who are mostly 
"innocent" except their computer was compromised)
   c. block all IRC
   d. redirect IRC connections to a few servers known to be used by Bots
   e. something else



More information about the NANOG mailing list